[NEWS] Yahoo! Mail Cross-Site Scripting Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 12/20/04
- Previous message: SecuriTeam: "[UNIX] singapore Image Gallery Web Application Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 20 Dec 2004 18:29:52 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Yahoo! Mail Cross-Site Scripting Vulnerability
------------------------------------------------------------------------
SUMMARY
Finjan has discovered a script injection vulnerability in Yahoo! Mail that
allows a remote attacker to execute malicious scripts when the victim is
reading his/her mail.
DETAILS
Yahoo s mobile code filtering mechanism is based on an active content
filter whose purpose is to block the injection of any active content into
Yahoo! messages. Yahoo s filter identifies any instance of the inline use
of the JavaScript protocol (e.g. JavaScript: ) and upon identification
adds an underscore before the j , thus creating an invalid protocol
request. The above filtering algorithm can be bypassed by inserting
encoded tab characters (	) into the JavaScript string.
For example:
------------
< div style="background: url(j	a	v	a	
s	c	r	i	p	t:alert());"></div>
Any tag that supports the style property can be used to call a JavaScript
file. The injected JavaScript code could lead to:
* Automatic launching of malicious code
* Stealing the victim's password by using a spoofed re-login window
* Reading the victim's INBOX and contacts
* Sending an email message without any user authorization
Proof of Concept:
< div style="backgr
ound:ur
l(ja		v	a	
sc	r	i	p	
t:alert());"></div>
Vulnerability Status:
Vendor was notified on Sep 8th, 2004. The bug is now fixed.
ADDITIONAL INFORMATION
The information has been provided by <mailto:theinsider@012.net.il> Rafel
Ivgi, The-Insider.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] singapore Image Gallery Web Application Multiple Vulnerabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
