Government Security
Network Security Resources

Jump to content

Photo

Cross Site Scripting Vulnerability Found In Yahoo

security server vulnerability javascript
  • This topic is locked This topic is locked
2 replies to this topic

#1 Blake

Blake

    Former Commander In Chief

  • Retired Admin
  • 7,334 posts

Posted 17 September 2003 - 07:31 PM

Cross Site Scripting Vulnerability Found in Yahoo


Summary
A vulnerability in Yahoo web site allows remote attackers to cause it to insert malicious HTML or JavaScript into existing web pages of Yahoo Website.


Details
Every time you use Yahoo messenger to send file to other Yahoo messenger users, Yahoo messenger will ask you whether you want to upload the file to Yahoo servers. If you chose yes then Yahoo messenger will upload the file to Yahoo server and provide you with a link for the downloading process. This link can then be sent to a friend for downloading.

Links typically look like: http://us.f1.yahoofs...tml?Random_Code

Where:
YahooID: Your Yahoo messenger ID
FileName: Your filename
Random_Code: is a set of random characters (Alphanumeric) which only the person who know this random code is allowed to access to this file.

Now all you need in order to add a malicious HTML or JavaScript is place it after the last "/". The HTML or JavaScript will be parsed into the response received from the server.

Example:
http://us.f1.yahoofs.../YahooID/.tmp/< script>alert('Hat-Squad.com');</script>
http://us.f2.yahoofs.com/< script>alert('Hat-Squad.com');</script>
http://us.f2.yahoofs.com/< script>window.open("http://www.hat-squad.com")</script>

Vendor response:
The vendor has been contacted, no response has been received, it appears though that he has fixed the issue.

The information has been provided by nima_majidi.
With this link :
http://www.securitea...5QP0M15AUI.html

#2 TTl

TTl

    Private

  • Members
  • 4 posts

Posted 02 March 2010 - 06:20 AM

I do have a custom made Yahoo Cookie Grabber designed to save only the Y and T cookies, taked through the xss, needed for auth. It has encoding features and it partially protects the xss from being disclosured ( although http headers never lie ). The "admin" page only lists the Yahoo! ID, ip, date/time, zip code and has only two options: LOGIN and DELETE. As it is a personal project and it uses a vulnerabillity that could compromise electronic postmail privacy I will not publish it. Some of the xss-es I've found had been reported to Yahoo.

I only can provide guidance, but if you'll google " yahoo cookie grabber " you'll find what you need.

I tried also to to build up a cookie grabber for MSN, but the cookie that holds the auth token, MSNRAuth ( if I remember well ) has the HTTP-Only flag :(

#3 webdevil

webdevil

    Retired GSO General

  • Sergeant Major
  • 1,195 posts

Posted 02 March 2010 - 11:09 AM

Alot of things must have changed since the post dates backs to 2003.
Start a new topic if you want to discuss anything on this.
Topic closed.





Also tagged with one or more of these keywords: security, server, vulnerability, javascript