RE: [Full-disclosure] Vunerability in yahoo webmail.

That doesn't work any more.
Another one, for Internet Explorer however does work that i found the
other day.
Send yourself one using my POC :)

php0t /

-----Original Message-----
From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
[mailto:full-disclosure-bounces@xxxxxxxxxxxxxxxxx] On Behalf Of wac
Sent: Thursday, June 15, 2006 5:51 AM
To: David Loyall
Cc: full-disclosure@xxxxxxxxxxxxxxxxx; abuse@xxxxxxxxx
Subject: Re: [Full-disclosure] Vunerability in yahoo webmail.

Hi folks:
Can I get this file somewhere else? Like a web site or something. This
gmail thing detects it as a virus. I doub't yahoo will let it pass
still, that's wht i don;t ask anyne to send it to me ;). I wonder who
asked to have an stupid scanner in the e-mail that you can't disable. I
don't even have one on my computer!!! Anyway I understand I'm not common
kind of people ;). Thanx in advance.


On 6/12/06, David Loyall <david.loyall@xxxxxxxxx> wrote:

Hello, all.

I just received an email with an html attachment, on a yahoo account.

When I opened the mail, yahoo automatically displayed the html, and
executed the code within. What the hell. =) It forwarded the message
to my contacts list, (or some other set of addresses, dunno,) and
redirected my browser to a website.

I'm of to a BBQ, and I don't care about yahoo. So I'm not even going to
read the code and see how this happens. I'm attaching the html file as
a text file. Enjoy!

Oh, I've CC'd abuse@xxxxxxxxx, but if someone else would give them a
proper write-up, and encourage them to close the hole, that'd be

--David Loyall
Omaha, Nebraska
David <> Loyall

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Relevant Pages