SEC-CONSULT Security Advisory 20051021-0
================================================================================== title: Yahoo/MSIE XSS
program: Yahoo Webmail in combination with MSIE 6.0
(maybe other browsers)
homepage: www.yahoo.com
found: 2005-04
by: SEC-Team / SEC-CONSULT / www.sec-consult.com
==================================================================================
Vulnerabilty overview:
---------------
Since april 2005 SEC-Consult has found 5+ serious vulnerabilities within
Yahoo's webmail systems.
All of them have been fixed in the production environment. Nevertheless
SEC-Consult believes that input-validation thru blacklists can just be a
temporary solution to problems like this. From our point of view there
are many other applications vulnerable to this special type of problem
where vulnerabilities of clients and servers can be combined.
Vulnerabilty details:
---------------
1) XSS / Cookie-Theft
Yahoos blacklists fail to detect script-tags in combination with special
characters like NULL-Bytes and other META-Characters. This leaves
Webmail users using MSIE vulnerable to typical XSS / Relogin-trojan /
Phishing attacks.
2) Some XSS Examples from our advisories
Excerpt from HTML-mails:
===============================================================================================SCRIPT-TAG:
---cut here---
hello
alert("i have you
now")rrrrrrxxxxx
---cut here---
===============================================================================================OBJECT-TAG:
---cut here---
value="http://[somewhere]/yahoo.swf">
---cut here---
===============================================================================================ONERROR-Attribute:
---cut here---
![]()
src="http://dontexist.info/x.jpg" one[META-Char]rror="alert('i have
you now')">uargg