[NEWS] Cross Site Scripting Vulnerability Found in Yahoo WebSite

From: SecuriTeam (support_at_securiteam.com)
Date: 08/24/03

  • Next message: SecuriTeam: "[UNIX] Buffer Overflow in Whois Client" 
    To: list@securiteam.com
Date: 24 Aug 2003 16:41:09 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Cross Site Scripting Vulnerability Found in Yahoo WebSite
    ------------------------------------------------------------------------

    SUMMARY

    A vulnerability in Yahoo web site allows remote attackers to cause it to
    insert malicious HTML or JavaScript into existing web pages of Yahoo
    Website.

    DETAILS

    Every time you use Yahoo messenger to send file to other Yahoo messenger
    users, Yahoo messenger will ask you whether you want to upload the file to
    Yahoo servers. If you chose yes then Yahoo messenger will upload the file
    to Yahoo server and provide you with a link for the downloading process.
    This link can then be sent to a friend for downloading.

    Links typically look like:
    http://us.f1.yahoofs.com/msgr/YahooID/.tmp/Filename.html?Random_Code

    Where:
     YahooID: Your Yahoo messenger ID
     FileName: Your filename
     Random_Code: is a set of random characters (Alphanumeric) which only the
    person who know this random code is allowed to access to this file.
     
    Now all you need in order to add a malicious HTML or JavaScript is place
    it after the last "/". The HTML or JavaScript will be parsed into the
    response received from the server.

    Example:
    http://us.f1.yahoofs.com/msgr/YahooID/.tmp/<
    script>alert('Hat-Squad.com');</script>
    http://us.f2.yahoofs.com/< script>alert('Hat-Squad.com');</script>
    http://us.f2.yahoofs.com/<
    script>window.open("http://www.hat-squad.com")</script>

    Vendor response:
    The vendor has been contacted, no response has been received, it appears
    though that he has fixed the issue.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:nima_majidi@hat-squad.com>
    nima_majidi.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Buffer Overflow in Whois Client"

    Relevant Pages