Re: XSS on Yahoo Mail

From: Personal Account (jetflash_at_hotpop.com)
Date: 11/24/05

  • Next message: little.hacker_at_gmail.com: "Re: XSS on Yahoo Mail"
    To: bugtraq@securityfocus.com
    Date: Wed, 23 Nov 2005 20:23:19 -0500
    
    

    Doing mouse over shows the truth.

    On Wed, 2005-11-23 at 12:44, Richard Fuchshuber wrote:
    > Hi,
    >
    > I've noticed a strange behavior in "Yahoo! Mail" when dealing with html
    > attachments. It's possible to insert data into the "Yahoo! Mail" html
    > interface.
    >
    > For example, with the following code in an html attachment it's possible
    > to insert "Your profile is out of date, please update clicking here" above
    > the button "Check Mail".
    >
    > <?
    > <TABLE border="1" cellspacing="1" cellpadding="0">
    > <TR>Your profile is out of date, please update <a
    > href="www.blabla.com">clicking here.</a></TR>
    > </TABLE>
    >
    > I think this could be used in phishing scam.
    >
    > For a screenshot, see [1]. The circulated text was inserted into interface
    > of the "Yahoo! Mail" through an email with the above code as an html
    > attachment.
    >
    > I tried to contact "Yahoo!" several times, without success.
    >
    >
    > [1] - http://richard.computeiro.com/yahoo_bug.jpg
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > _______________________________________________________
    > Yahoo! Acesso Grátis: Internet rápida e grátis.
    > Instale o discador agora!
    > http://br.acesso.yahoo.com/
    >


  • Next message: little.hacker_at_gmail.com: "Re: XSS on Yahoo Mail"