|
Bugtraq
mailing list archives
RE: XSS on Yahoo Mail
From: Will Wesley <willwesleyccna () yahoo de>
Date: Thu, 24 Nov 2005 03:50:04 +0100 (CET)
--- Richard Fuchshuber <richardfuch () yahoo com br>
schrieb:
Hi,
I've noticed a strange behavior in "Yahoo! Mail"
when dealing with html
attachments. It's possible to insert data into the
"Yahoo! Mail" html
interface.
For example, with the following code in an html
attachment it's possible
to insert "Your profile is out of date, please
update clicking here" above
the button "Check Mail".
<?
<TABLE border="1" cellspacing="1" cellpadding="0">
<TR>Your profile is out of date, please update <a
href="www.blabla.com">clicking here.</a></TR>
</TABLE>
I think this could be used in phishing scam.
For a screenshot, see [1]. The circulated text was
inserted into interface
of the "Yahoo! Mail" through an email with the
above code as an html
attachment.
I tried to contact "Yahoo!" several times, without
success.
[1] - http://richard.computeiro.com/yahoo_bug.jpg
This is not exactly a problem with Yahoo!, but rather
a problem with the way browsers tend to render HTML
when forced to deal with broken tags. Your "<?
<table....> is not needed to accomplish the same
thing, since a browser will consider everything from <
to the next > as a tag. Since <? is not recognized the
whole thing is ignored.
The real problem is that you are injecting a TR
element into the middle of a TD, then closing the
table without first closing the TD. Any web developer
who would do such a thing is a moron, and your browser
does the best it can to make sense of it. You might
try asking Yahoo how to turn HTML off, or simply use
POP with a text only reader to work around this.
- Will Wesley, BSCS
http://wieso.blogdrive.com
___________________________________________________________
Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de
 By Date 
By Thread
Current thread:
|
Intro
