XSS on Yahoo Mail

From: Richard Fuchshuber (richardfuch_at_yahoo.com.br)
Date: 11/23/05

  • Next message: Mandriva Security Team: "MDKSA-2005:215 - Updated binutils packages fix vulnerabilities"
    Date: Wed, 23 Nov 2005 14:44:34 -0300 (ART)
    To: bugtraq@securityfocus.com
    
    

      Hi,

    I've noticed a strange behavior in "Yahoo! Mail" when dealing with html
    attachments. It's possible to insert data into the "Yahoo! Mail" html
    interface.

    For example, with the following code in an html attachment it's possible
    to insert "Your profile is out of date, please update clicking here" above
    the button "Check Mail".

    <?
    <TABLE border="1" cellspacing="1" cellpadding="0">
    <TR>Your profile is out of date, please update <a
    href="www.blabla.com">clicking here.</a></TR>
    </TABLE>

    I think this could be used in phishing scam.

    For a screenshot, see [1]. The circulated text was inserted into interface
    of the "Yahoo! Mail" through an email with the above code as an html
    attachment.

    I tried to contact "Yahoo!" several times, without success.

    [1] - http://richard.computeiro.com/yahoo_bug.jpg

            

            
                    
    _______________________________________________________
    Yahoo! Acesso Grátis: Internet rápida e grátis.
    Instale o discador agora!
    http://br.acesso.yahoo.com/


  • Next message: Mandriva Security Team: "MDKSA-2005:215 - Updated binutils packages fix vulnerabilities"

    Relevant Pages