[NEWS] Yahoo! Mail Cross-Site Scripting Vulnerability

• Previous message: SecuriTeam: "[UNIX] singapore Image Gallery Web Application Multiple Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 20 Dec 2004 18:29:52 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Yahoo! Mail Cross-Site Scripting Vulnerability
------------------------------------------------------------------------

SUMMARY

Finjan has discovered a script injection vulnerability in Yahoo! Mail that
allows a remote attacker to execute malicious scripts when the victim is
reading his/her mail.

DETAILS

Yahoo s mobile code filtering mechanism is based on an active content
filter whose purpose is to block the injection of any active content into
Yahoo! messages. Yahoo s filter identifies any instance of the inline use
of the JavaScript protocol (e.g. JavaScript: ) and upon identification
adds an underscore before the j , thus creating an invalid protocol
request. The above filtering algorithm can be bypassed by inserting
encoded tab characters (	) into the JavaScript string.

For example:
------------
< div style="background: url(j&#x0009;a&#x0009;v&#x0009;a&#x0009;
s&#x0009;c&#x0009;r&#x0009;i&#x0009;p&#x0009;t:alert());"></div>

Any tag that supports the style property can be used to call a JavaScript
file. The injected JavaScript code could lead to:
 * Automatic launching of malicious code
 * Stealing the victim's password by using a spoofed re-login window
 * Reading the victim's INBOX and contacts
 * Sending an email message without any user authorization

Proof of Concept:
< div style="&#x000062;&#x000061;&#x00063;&#x00006B;&#x000067;&#x000072;
&#x00006F;&#x000075;&#x00006E;&#x000064;&#x00003A;&#x00075;&#x00072;
&#x0006C;&#x00028;j&#x00061;&#x0009;&#x0009;v&#x0009;&#x00061;&#x0009;
s&#x00063;&#x0009;&#x00072;&#x0009;&#x00069;&#x0009;&#x00070;&#x0009;
&#x00074;&#x0003A;alert());"></div>

Vulnerability Status:
Vendor was notified on Sep 8th, 2004. The bug is now fixed.

ADDITIONAL INFORMATION

The information has been provided by <mailto:theinsider@012.net.il> Rafel
Ivgi, The-Insider.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[UNIX] singapore Image Gallery Web Application Multiple Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

• [REVS] Misunderstanding Javascript Injection: Web Application Abuse via Javascript Injection
  ... The following security advisory is sent to the securiteam mailing list, and can be
  found at the SecuriTeam web site: http://www.securiteam.com ... Misunderstanding Javascript
  Injection: Web Application Abuse via ... various security oriented mailing lists, there
  are issues Tim has not seen ... (Securiteam)
• [UNIX] Konqueror DoS via JavaScript Read of FTP iframe
  ... The following security advisory is sent to the securiteam mailing list, and can be
  found at the SecuriTeam web site: http://www.securiteam.com ... Konqueror DoS via JavaScript Read
  of FTP iframe ... Konqueror crashes if JavaScript code tries to read the source
  of a child ... Gentoo and Debian running KDE 3.5.5. ... (Securiteam)
• [NEWS] Internet Explorer and Opera JavaScript Ghost Vulnerability
  ... The following security advisory is sent to the securiteam mailing list, and can be
  found at the SecuriTeam web site: http://www.securiteam.com ... A bug in Internet Explorer and
  Opera's processing of JavaScript allows ... visible to the user if the user asks for the
  source code of the HTML page. ... If the user browser is vulnerable for this vulnerability,
  ... (Securiteam)
• [NT] Internet Explorer Code Execution Through MIME Manipulation
  ... The following security advisory is sent to the securiteam mailing list, and can be
  found at the SecuriTeam web site: http://www.securiteam.com ... file that contains active content
  (JavaScript etc) and give it a jpg ... extension, then convince a user to access
  that so called image but instead ... This allows someone to cause a file that ends with jpg
  to not be processed ... (Securiteam)
• [NT] Yahoo! Messenger URL Handler Remote DoS
  ... The following security advisory is sent to the securiteam mailing list, and can be
  found at the SecuriTeam web site: http://www.securiteam.com ... A denial of service vulnerability
  exists in the way Yahoo! ... When these packets are sent Yahoo! ... Messenger
  version 6.0 ... (Securiteam)