[NEWS] Yahoo WebMail! Cross Site Scripting Vulnerability (order, sort)

• Previous message: SecuriTeam: "[REVS] Introduction to Shellcoding for Overflows Exploiting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 15 Mar 2004 09:46:41 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Yahoo WebMail! Cross Site Scripting Vulnerability (order, sort)
------------------------------------------------------------------------

SUMMARY

 <http://www.yahoo.com> Yahoo is one of the world's best and most common
free web mail vendor. Yahoo mail is very reliable, safe and fast. It also
allows secure connections (SSL) when checking mail. A cross-site scripting
vulnerability allows a remote attacker to hijack existing accounts.

DETAILS

Vulnerable Systems:
 * Yahoo WebMail!

Upon logging into Yahoo WebMail! and opening an email message, the URL
looks something along the lines of:
http://us.f200.mail.yahoo.com/ym/ShowLetter?MsgId=3308_151647_1069_1720_553_0_917_-1_0 &YY=96862 &inc=25 &order=down &sort=date &pos=0 &view=a &head=b &box=Inbox

Testing all the variables seen in the URL yields the following results:

MsgId=3308_151647_1069_1720_553_0_917_-1_0 --> this field's content
doesn't really matter, what is important is that it is numeric and with
written with the correct syntax.
YY=96862 --> safe
inc=25 --> safe
order=down"><scr!pt>alert('xss')</scr!pt> --> vulnerable
sort=date"><scr!pt>alert('xss')</scr!pt> --> vulnerable
pos=0 --> safe
view=a --> safe
head=b --> safe
box=Inbox --> safe

Note: The script tag has been replaced with scr!pt so that an alert
wouldn't pop up in the viewer's browser.

Pointing the browser to one of the following links while being logged on
or while a cookie that contains authentication information has been saved
on the local machine will allow script injection and thus stealing of the
account.

The following examples illustrate the vulnerability:
http://us.f200.mail.yahoo.com/ym/ShowLetter?MsgId=3308_151647_1069_1720_553_0_917_-1_0 &YY=96862 &inc=25 &order=down"><scr!pt>alert('This can be your cookie')</scr!pt> &sort=date &pos=0 &view=a &head=b &box=Inbox

http://us.f200.mail.yahoo.com/ym/ShowLetter?MsgId=3308_151647_1069_1720_553_0_917_-1_0 &YY=92552 &inc=25 &order=down &sort=date"><scr!pt>alert(document.cookie)</scr!pt> &pos=0 &view=a &head=b &box=Inbox

ADDITIONAL INFORMATION

The information has been provided by <mailto:theinsider@012.net.il> Rafel
Ivgi, The-Insider.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[REVS] Introduction to Shellcoding for Overflows Exploiting"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]