Bugtraq: Re: XSS on Yahoo Mail

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: XSS on Yahoo Mail

From: "Jim Ley" <jim () jibbering com>
Date: Thu, 24 Nov 2005 19:28:45 -0000


"Will Wesley" <willwesleyccna () yahoo de> wrote in message 
news:20051124025004.32883.qmail () web26902 mail ukl yahoo com

This is not exactly a problem with Yahoo!, but rather
a problem with the way browsers tend to render HTML
when forced to deal with broken tags.


So it's a problem with Yahoo, as they allow the email, to write to places on 
the screen that is not part of the email.  I agree this is certainly down to 
the liberalness of the browsers parser, but that doesn't mean yahoo can 
ignore it, it's just a demonstration of how difficult a job it is for people 
who want to accept arbitrary HTML to be secure for their user

Of course there is a pretty simple solution, which is to just use an IFRAME, 
then there's no way the email to escape into the surrounding chrome.

Jim.

By Date By Thread

Current thread:

XSS on Yahoo Mail Richard Fuchshuber (Nov 23)
- RE: XSS on Yahoo Mail Will Wesley (Nov 24)
  - Re: XSS on Yahoo Mail Steven Champeon (Nov 26)
    - Re: XSS on Yahoo Mail Will Wesley (Nov 26)
  - Re: XSS on Yahoo Mail Jim Ley (Nov 26)
  - RE: XSS on Yahoo Mail Richard Fuchshuber (Nov 26)
- Re: XSS on Yahoo Mail Personal Account (Nov 26)
- <Possible follow-ups>
- Re: XSS on Yahoo Mail little . hacker (Nov 26)
  - Re: XSS on Yahoo Mail Matan Peled (Nov 26)
- Re: XSS on Yahoo Mail alireza hassani (Nov 26)