SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Yahoo Mail Vendors:   Yahoo
Yahoo! Mail Scripting Filter Can Be Bypassed By Remote Users
SecurityTracker Alert ID:  1009872
SecurityTracker URL:  http://securitytracker.com/id/1009872
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 20 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in Yahoo! Mail. A remote user can bypass the e-mail filter to execute arbitrary scripting code and hijack a target user's account.

eEye Digital Security reported that a remote user can send a specially crafted e-mail to a target user to take over the target user's account. If the e-mail exceeds a certain size, the e-mail filter will fail to block scripting code.

[Editor's note: Presumably, the account hijacking occurs because the filter fails to block scripting code and the scripting code executes on the target user's system in the security domain of the Yahoo! Mail server, allowing the code to obtain the target user's session authentication data.]

Impact:   A remote user can send e-mail that when viewed by the target user, will execute arbitrary scripting code on the target user's computer. A remote user can hijack a target user's account.
Solution:   The vendor has issued a server-based fix. Affected users do not need to apply a fix.
Vendor URL:  www.yahoo.com/ (Links to External Site)
Cause:   Input validation error, State error

Message History:   None.


 Source Message Contents

Subject:  http://www.eeye.com/html/Research/Advisories/AD20040419.html


http://www.eeye.com/html/Research/Advisories/AD20040419.html

AD20040419

"Yahoo! Mail" Account Filter Overflow Hijack

Release Date:
April 19, 2004

Date Reported:
March 10, 2004

Severity:
High

Vendor:
Yahoo!

Description:
"Yahoo! Mail" is one of the Internet's most popular web based email solutions. They 
provide free email and large capacity storage, as well as subscription-based services such 
as mail forwarding, expanded storage and personalized email addresses.

eEye Digital Security has discovered a security hole in "Yahoo! Mail" which allows a 
remote attacker to take over an account remotely by sending a specially crafted email.

Technical Description:
-----------EXAMPLE EMAIL---------


[->a bunch of chars here [spaces are most stealth], the whole
file size will be just about 100KB]
[this causes the filter to not work... the code is then run
automatically]


---------------------------------

The pseudo-diagram above explains the scenario rather well. For whatever reason (we do not 
have access to Yahoo's source code or even the binary), Yahoo's email filter simply does 
not work on files which exceed a certain range. This kind of software issue is relatively 
common.

A remarkable note about this bug is that no one seems to have found it before.

As far as anyone knows.

Drew's Happy-Happy Quotes for the Day:

Ben Franklin, "Three can keep a secret if two are dead."

Protection:
Yahoo! Mail is a hosted, web based service, hence users do not need to patch.

Vendor Status:
Yahoo! has been notified and has rectified the issue.

Credit:
Drew Copley, eEye Digital Security, Research Engineer
thanks to "http-equiv" for additional research

Related Links:
Retina Network Security Scanner - Free 15 Day Trial 
http://www.eeye.com/html/Products/Retina/download.html

Greetings:
To all of you out there that don't use turn signals.
Sooner or later your time is going to come. And a special greeting to all of these 
competitors of ours making some extra cash by selling pre-fix vulnerabilities through pay 
for play "mailing lists". I am sure North Korea, the Yakuza, the "Triads", the Russian 
Mafiya, La Costa Nostra, and every other criminal state or organization appreciates your 
type of "Partial Full Disclosure for a Darn Good Price" motto.

Copyright (c) 1998-2004 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is 
not to be edited in any way without express consent of eEye. If you wish to reprint the 
whole or any part of this alert in any other medium excluding electronic medium, please 
email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information 
constitutes acceptance for use in an AS IS condition. There are no warranties, implied or 
express, with regard to this information. In no event shall the author be liable for any 
direct or indirect damages whatsoever arising out of or in connection with the use or 
spread of this information. Any use of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

eEye Digital Security
http://www.eEye.com
info@eEye.com


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC