Re: XSS on Yahoo Mail

From: Jim Ley (jim_at_jibbering.com)
Date: 11/24/05

  • Next message: Personal Account: "Re: XSS on Yahoo Mail"
    To: bugtraq@securityfocus.com
    Date:  Thu, 24 Nov 2005 19:28:45 -0000
    
    

    "Will Wesley" <willwesleyccna@yahoo.de> wrote in message
    news:20051124025004.32883.qmail@web26902.mail.ukl.yahoo.com...

    >This is not exactly a problem with Yahoo!, but rather
    >a problem with the way browsers tend to render HTML
    >when forced to deal with broken tags.

    So it's a problem with Yahoo, as they allow the email, to write to places on
    the screen that is not part of the email. I agree this is certainly down to
    the liberalness of the browsers parser, but that doesn't mean yahoo can
    ignore it, it's just a demonstration of how difficult a job it is for people
    who want to accept arbitrary HTML to be secure for their user

    Of course there is a pretty simple solution, which is to just use an IFRAME,
    then there's no way the email to escape into the surrounding chrome.

    Jim.


  • Next message: Personal Account: "Re: XSS on Yahoo Mail"

    Relevant Pages

    • Re: Yahoo mail looks bizar in Konqueror
      ... IE still accounts for over 80% of the browsers in use out there. ... It's Yahoo targetting its market. ... Mozilla, you can stop popups and block flash etc. more easily than ...
      (alt.os.linux.suse)
    • Re: How to read URLs "current" content ? (already tried using URLConnection/HttpURLConnection unsucc
      ... Below is the sample program that I tried to execute. ... not the content that I see when I open the yahoo homepage. ... different browsers, based on the User-Agent header, as shown here: ... Here is additional information on User-Agent for popular browsers: ...
      (comp.lang.java.help)
    • Re: BT Yahoo! access by Riscos Browser
      ... or click here for a list of supported browsers for My Yahoo! ... Firefox 2.0 or higher (Windows and Mac) ... Well just click on one of the actual browsers mentioned and that loads ... But the question is why use a browser when you can use actual RISC OS ...
      (comp.sys.acorn.networking)
    • Re: iPod touch software update 1.1.1
      ... .mac mail now works in safari? ... No idea, it works with squirrelmail on OSX server, and yahoo email. ... loads of "AJAX", dragging and dropping, and so on. ... Same with yahoo on certain browsers, but if it finds that your browser ...
      (uk.comp.sys.mac)
    • Re: Need suggestions for C links.
      ... I'd have thought an even more major advantage of HTML would be ... since browsers already render HTML just fine (otherwise they ...
      (comp.lang.c)