Full Disclosure mailing list archives
Re: Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com
From: Stefan Schurtz <sschurtz () t-online de>
Date: Sat, 08 Mar 2014 12:01:55 +0100
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Jann, you're right...bad description here (too much copy & paste) :) The XSS is cookie-based, so you can find it in the cookie with the payload. Please see "&intl=dec52a6"-alert(document.domain)-"c8d9133635e;" Kind regards, Stefan Am 08.03.2014 11:40, schrieb Jann Horn:
On Sat, Mar 08, 2014 at 11:24:03AM +0100, Stefan Schurtz wrote:The 'intl'-Paramter on "https://de-mg42.mail.yahoo.com/" is prone to a Cross-site Scripting vulnerability [...] GET https://de-mg42.mail.yahoo.com/neo/launch?.rand=02j5el0e9m3mr Host: de-mg42.mail.yahoo.com [...]Uh, where is that intl parameter you speak of? the only parameter I see here is .rand, which, as far as I know, just serves to circumvent caching. And where is the XSS payload?
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlMa+J0ACgkQg3svV2LcbMCRLwCfR1L1XiqxEjnT4F8Z/MYJFbLS KSoAnRQAMaK6woO866COwlK1kPsYaueu =wg9L -----END PGP SIGNATURE-----
Attachment:
0x62DC6CC0.asc
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com Stefan Schurtz (Mar 08)
- Message not available
- Re: Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com Stefan Schurtz (Mar 08)
- Message not available