Full Disclosure mailing list archives
Re: yahoomail dom based xss vulnerability
From: Chris Evans <scarybeasts () gmail com>
Date: Tue, 29 Jun 2010 08:21:26 -0700
On Mon, Jun 14, 2010 at 9:50 PM, pratul agrawal <pratulag () yahoo com> wrote:
Yahoo mail Dom Based Cross Site Scripting Founder: Pratul Agrawal <pratulag[at]yahoo[dot]com> DescriptionService: Webmail Vendor: Yahoo mail, and possibly others Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks Severity: High
I've been meaning to reply to this for a while. I'm not picking on you in particular. I'm picking on the industry trend to escalate severities to "high" and even "critical" for issues of no particular concern. Losing focus on the bugs that are _actually_ of "high" or "critical" severity is a very bad thing. In this instance, it would appear that the victim has to follow a list of instructions -- including pasting a suspicious piece of script into a text field -- in order for them to be exploited. It is of lesser severity than a persisted XSS (0 suspicious link clicks to exploit) and also of lesser severity than even a reflected XSS (1 suspicious link clicks to exploit). In fact, if we assume a model where we can simply persuade the victim to operate under this level of the attacker's instruction, we might as well ask the victim to paste a javascript URI into the URL bar. Or simply ask the victim to enter text such as attacker () evil com in a UI control for a forwarding address. The vulnerability described in "steps to reproduce" cannot realistically be considered to be of "high" severity. Cheers Chris
Tested on: Microsoft IE 7.0 Details: Yahoo mail filter fails to detect script attributes in combination with the style attribute as a tag, leaving everyone using yahoo mail service with MSIE vulnerable to Cross Site Scripting including Cookie Theft and relogin attacks. Impact: This is totally a dom based xss attack. an application takes the user suplied data and directly feed it into the API designed to show the Newly created folder name n the yahoomail. Throug this an attacker can easily perform a cookie theft attack, Site defacement attack and many more.Steps To Reproduce1. Login the yahoomail with valid credentials. 2. Click on inbox. 3. Now click on Move < [New Folder]. 4. Now enter the javascript "><script>alert('yahoo')</script> in the field given for creating new folder. 5. Press OK and the script get executed. yahhhhooooo Best Regards, Pratul Agrawal _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Yahoomail Dom Based XSS Vulnerability pratul agrawal (Jun 13)
- <Possible follow-ups>
- yahoomail dom based xss vulnerability pratul agrawal (Jun 14)
- Re: yahoomail dom based xss vulnerability ㅤ ㅤRockey (Jun 14)
- Re: yahoomail dom based xss vulnerability pratul agrawal (Jun 15)
- Re: yahoomail dom based xss vulnerability Benji (Jun 15)
- Re: yahoomail dom based xss vulnerability ㅤ ㅤRockey (Jun 15)
- Re: yahoomail dom based xss vulnerability pratul agrawal (Jun 15)
- Re: yahoomail dom based xss vulnerability Vipul Agarwal (Jun 16)
- Re: yahoomail dom based xss vulnerability ㅤ ㅤRockey (Jun 16)
- Re: yahoomail dom based xss vulnerability ㅤ ㅤRockey (Jun 14)