SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Yahoo Mail Vendors:   Yahoo
Yahoo! Mail Encoded White Space Entity Filtering Hole Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1010375
SecurityTracker URL:  http://securitytracker.com/id/1010375
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 3 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  

Description:   An input validation vulnerability was reported in Yahoo! Mail. A remote user can conduct cross-site scripting attacks.

GreyMagic Software reported that a remote user can send a specially crafted e-mail to a target Yahoo! Mail user to bypass the cross-site scripting security filter. When the target user views the e-mail message, arbitrary scripting code will be executed by the target user's browser. The code will originate from the Yahoo! Mail site and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

It is reported that a remote user can embed a Javascript URL into an HTML-based e-mail message by using an encoded white-space entity, where the encoded representation includes several zero characters before the code:

java
script:alert()

A demonstration exploit is provided:

<div style="background-image:url(jav&#000013;ascript:alert(document.cookie))">Hello!</div>

The vendor was reportedly notified on May 20, 2004.

The original advisory is available at:

http://www.greymagic.com/security/advisories/gm006-mc/

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the Yahoo! Mail site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor reportedly issued a fix as of May 24, 2004.
Vendor URL:  mail.yahoo.com/ (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  [Full-Disclosure] Simple Yahoo! Mail Cross-Site Scripting (GM#006-MC)


GreyMagic Security Advisory GM#006-MC
=====================================

GreyMagic Software, 03 Jun 2004.

Available in HTML format at
http://www.greymagic.com/security/advisories/gm006-mc/.

Topic: Simple Yahoo! Mail Cross-Site Scripting.

Discovery date: 16 May 2004.

Affected applications:
======================

* Yahoo! web-based email service.


Introduction:
=============

Web-based email services and Yahoo! specifically make tremendous efforts to
sanitize incoming emails from potentially unsafe HTML content. Flawed
filtering of such unsafe content may result in severe consequences that
would occur as soon as a user opens an email for reading, including: 

* Theft of login and password. 
* Content disclosure of any email in the mailbox. 
* Automatically send emails from the mailbox. 
* Exploitation of known vulnerabilities in the browser to access the user's
file system and eventually take over the machine. 
* Distribution of a web-based email worm. 
* Disclosure of all contacts within the address book. 


Discussion: 
===========

GreyMagic discovered that by sending a maliciously formed email to a Yahoo
user it is possible to circumvent the filter and execute script in the
context of a logged-in Yahoo! user. 

A known Cross-Site Scripting weakness is using entities instead of actual
chars, for example: "jav&#97script:alert()". There is also a variation of
that weakness, caused by the way browsers ignore white-space chars in URLs:
"java&#13;script:alert()". Yahoo! properly filters both of these scenarios. 

However, a third variation remains unfiltered. It is possible to embed a
javascript URL by using a white-space entity with multiple zero chars in
front of it: "java&#000013;script:alert()". 


Exploit: 
========

The following HTML embedded in an email would show a Yahoo! user's cookie
when opened: 

<div
style="background-image:url(jav&#000013;ascript:alert(document.cookie))">Hel
lo!</div> 


Solution: 
=========

GreyMagic informed Yahoo! of the vulnerability on 20-May-2004. Yahoo!
responded promptly and reported that it patched the vulnerability on
24-May-2004. 


Tested on: 
==========

Yahoo! web-based email service.


Disclaimer:
===========

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind. 

GreyMagic Software is not liable for any direct or indirect damages caused
as a result of using the information or demonstrations provided in any part
of this advisory. 

- Copyright ) 2004 GreyMagic Software.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC