Re: Remote crashes in Yahoo messenger

• Previous message: skizzik@imail.ru: "Open Bulletin Board javascript bug."
• In reply to: Scott Woodward: "Remote crashes in Yahoo messenger"
• Next in thread: Chris Bisnett: "Re: Re: Remote crashes in Yahoo messenger"
• Reply: Chris Bisnett: "Re: Re: Remote crashes in Yahoo messenger"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 22 Feb 2002 18:06:51 -0800 (PST)
From: Chris Bisnett <wav_boy2@yahoo.com>
To: Scott Woodward <scott@phoenixtechie.com>, bugtraq@securityfocus.com

I would also like to point out that messenger sends
the password in clear text. I don't know if that has
been said before and if it has i'm sorry

--- Scott Woodward <scott@phoenixtechie.com> wrote:
> All versions of Yahoo messenger version 5. Listens
> on port 5101 on client
> machine. (obviously to
> offload server traffic for IMs)
>
> problems:
> (for all of the problems listed below, the traffic
> is sent to the yahoo
> messenger opened port, 5101)
>
> 1. One can crash yahoo messenger by overflowing
> the message field in the
> yahoo protocol.
> 2. One can crash yahoo messenger by overflowing
> the IMvironment field in
> the yahoo protocol.
> 3. One can send a message as a spoofed name.
> 4. One can send many many messages from different
> names, flooding the
> person.
> 5. One can add a person to their buddy list
> (without their consent even),
> then message them a few times and that persons IP
> address will be sent in a
> message over yahoo's server.
>
> I would imagine there are many many more security
> problems to be found.
>
>
>

__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com

• Previous message: skizzik@imail.ru: "Open Bulletin Board javascript bug."
• In reply to: Scott Woodward: "Remote crashes in Yahoo messenger"
• Next in thread: Chris Bisnett: "Re: Re: Remote crashes in Yahoo messenger"
• Reply: Chris Bisnett: "Re: Re: Remote crashes in Yahoo messenger"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages [NT] Multiple Vulnerabilities in Yahoo! Messenger ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... There are multiple vulnerabilities in Yahoo! ... Yahoo Messenger - Multiple Vulnerabilities. ... (Securiteam) CERT Advisory CA-2002-16 Multiple Vulnerabilities in Yahoo! Messenger ... There are multiple vulnerabilities in Yahoo! ... Messenger is a widely used program for communicating with other ... that permits a remote attacker to execute arbitrary script and HTML ... (Cert) CERT Advisory CA-2002-16 Multiple Vulnerabilities in Yahoo! Messenger ... There are multiple vulnerabilities in Yahoo! ... Messenger is a widely used program for communicating with other ... that permits a remote attacker to execute arbitrary script and HTML ... (Cert) Re: [Full-disclosure] obtai an IP of an MSN Messenger contact ... this yahoo employee offers great tips for international hackers ... to target individual employees. ... but by the countless corporate users who post in his ... On messenger though, not even corporate users use a proxy, even though ... (Full-Disclosure) How do i stop yahoo with netscreen. ... But yahoo tried everything, blocked 3 entire subnets and still no joy, any ... I have all ports in denied, and all ports out apart from SMTP, pop3, ... disallow ICQ and Yahoo Messenger through port 80 ... (Security-Basics)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint