Re: [Full-Disclosure] Simple Yahoo! Mail Cross-Site Scripting (GM#006-MC)

From: Berend-Jan Wever (SkyLined_at_edup.tudelft.nl)
Date: 06/03/04

Next message: Paul Herman: "Format String Vulnerability in Tripwire"

Previous message: Stephanie Wehner: "[Full-Disclosure] analysis (more worms wanted :) )"
In reply to: GreyMagic Software: "[Full-Disclosure] Simple Yahoo! Mail Cross-Site Scripting (GM#006-MC)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <full-disclosure@lists.netsys.com>
Date: Thu, 3 Jun 2004 16:12:49 +0200

When I was into finding XSS, I found holes in just about every web-based
email provider with relative ease... The only one that I found was pretty
hardened was hotmail (Probably because everyone is trying to find holes all
the time).
I bet this is still just the tip of the iceberg for yahoo, keep up the good
work.

Oh, here's one I found long time ago (yahoo), they probably fixed it by now,
but I haven't checked:
<STYLE>*{width:expression( eval(alert("hello, world!"); )}</STYLE>

BTW. Long time no advisory, guys. I thought you had quit... What have you
been up to ?

Cheers,
SkyLined

----- Original Message -----
From: "GreyMagic Software" <security@greymagic.com>
To: <full-disclosure@lists.netsys.com>
Sent: Thursday, June 03, 2004 15:52
Subject: [Full-Disclosure] Simple Yahoo! Mail Cross-Site Scripting
(GM#006-MC)

> GreyMagic Security Advisory GM#006-MC
> =====================================
>
> GreyMagic Software, 03 Jun 2004.
>
> Available in HTML format at
> http://www.greymagic.com/security/advisories/gm006-mc/.
>
> Topic: Simple Yahoo! Mail Cross-Site Scripting.
>
> Discovery date: 16 May 2004.
>
> Affected applications:
> ======================
>
> * Yahoo! web-based email service.
>
>
> Introduction:
> =============
>
> Web-based email services and Yahoo! specifically make tremendous efforts
to
> sanitize incoming emails from potentially unsafe HTML content. Flawed
> filtering of such unsafe content may result in severe consequences that
> would occur as soon as a user opens an email for reading, including:
>
> * Theft of login and password.
> * Content disclosure of any email in the mailbox.
> * Automatically send emails from the mailbox.
> * Exploitation of known vulnerabilities in the browser to access the
user's
> file system and eventually take over the machine.
> * Distribution of a web-based email worm.
> * Disclosure of all contacts within the address book.
>
>
> Discussion:
> ===========
>
> GreyMagic discovered that by sending a maliciously formed email to a Yahoo
> user it is possible to circumvent the filter and execute script in the
> context of a logged-in Yahoo! user.
>
> A known Cross-Site Scripting weakness is using entities instead of actual
> chars, for example: "jav&#97script:alert()". There is also a variation of
> that weakness, caused by the way browsers ignore white-space chars in
URLs:
> "javascript:alert()". Yahoo! properly filters both of these
scenarios.
>
> However, a third variation remains unfiltered. It is possible to embed a
> javascript URL by using a white-space entity with multiple zero chars in
> front of it: "javascript:alert()".
>
>
> Exploit:
> ========
>
> The following HTML embedded in an email would show a Yahoo! user's cookie
> when opened:
>
> <div
>
style="background-image:url(javascript:alert(document.cookie))">Hel
> lo!</div>
>
>
> Solution:
> =========
>
> GreyMagic informed Yahoo! of the vulnerability on 20-May-2004. Yahoo!
> responded promptly and reported that it patched the vulnerability on
> 24-May-2004.
>
>
> Tested on:
> ==========
>
> Yahoo! web-based email service.
>
>
> Disclaimer:
> ===========
>
> The information in this advisory and any of its demonstrations is provided
> "as is" without warranty of any kind.
>
> GreyMagic Software is not liable for any direct or indirect damages caused
> as a result of using the information or demonstrations provided in any
part
> of this advisory.
>
> - Copyright © 2004 GreyMagic Software.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: Paul Herman: "Format String Vulnerability in Tripwire"

Previous message: Stephanie Wehner: "[Full-Disclosure] analysis (more worms wanted :) )"
In reply to: GreyMagic Software: "[Full-Disclosure] Simple Yahoo! Mail Cross-Site Scripting (GM#006-MC)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo (GM#005-MC)
... Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo. ... from potentially unsafe HTML content. ... GreyMagic Software is not liable for any direct or indirect damages caused ...
(NT-Bugtraq)
Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo (GM#005-MC)
... Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo. ... from potentially unsafe HTML content. ... GreyMagic Software is not liable for any direct or indirect damages caused ...
(Bugtraq)
[VulnWatch] Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo (GM#005-MC)
... Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo. ... from potentially unsafe HTML content. ... GreyMagic Software is not liable for any direct or indirect damages caused ...
(VulnWatch)
[Full-Disclosure] Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo (GM#005-MC)
... Remotely Exploitable Cross-Site Scripting in Hotmail and Yahoo. ... from potentially unsafe HTML content. ... GreyMagic Software is not liable for any direct or indirect damages caused ...
(Full-Disclosure)
Re: Emailing Pictures Not as Attachments
... The Yahoo "Color and Graphics" is their term for HTML. ... > I'm trying to send an email with pictures, but I want each> picture to be preceded by some text, so I can't send it> them attachments. ...
(microsoft.public.internet.mail)