Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Remote crashes in Yahoo messenger
From: Chris Bisnett <wav_boy2 () yahoo com>
Date: Fri, 22 Feb 2002 18:06:51 -0800 (PST)

I would also like to point out that messenger sends
the password in clear text.  I don't know if that has
been said before and if it has i'm sorry

--- Scott Woodward <scott () phoenixtechie com> wrote:
 All versions of Yahoo messenger version 5. Listens
on port 5101 on client
machine.  (obviously to
 offload server traffic for IMs)

 (for all of the problems listed below, the traffic
is sent to the yahoo
messenger opened port, 5101)

 1.  One can crash yahoo messenger by overflowing
the message field in the
 yahoo protocol.
 2.  One can crash yahoo messenger by overflowing
the IMvironment field in
 the yahoo protocol.
 3.  One can send a message as a spoofed name.
 4.  One can send many many messages from different
names, flooding the
 5.  One can add a person to their buddy list
(without their consent even),
 then message them a few times and that persons IP
address will be sent in a
 message over yahoo's server.

 I would imagine there are many many more security
problems to be found.

Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]