Home page logo

fulldisclosure logo Full Disclosure mailing list archives

yahoomail dom based xss vulnerability
From: pratul agrawal <pratulag () yahoo com>
Date: Mon, 14 Jun 2010 21:50:33 -0700 (PDT)

Yahoo mail Dom Based Cross Site 

                     Founder: Pratul Agrawal <pratulag[at]yahoo[dot]com>
DescriptionService: Webmail

Vendor: Yahoo mail, and possibly others

Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks

Severity: High

Tested on: Microsoft IE 7.0


Yahoo mail filter fails to detect script attributes in combination with

the style attribute as a tag, leaving everyone using yahoo mail service

with MSIE vulnerable to Cross Site Scripting including Cookie Theft and

relogin attacks.


This is totally a dom based xss attack. an application takes the user 
suplied data and directly feed it into the API designed to show the 
Newly created folder name n the yahoomail. Throug this an attacker can 
easily perform a cookie theft attack, Site defacement attack and many 
more.Steps To 
Reproduce1. Login the yahoomail with 
valid credentials.


2. Click on inbox.


3. Now click on Move < [New Folder].


4. Now enter the javascript "><script>alert('yahoo')</script> in the field given for creating new folder.


5. Press OK and the script get executed.  yahhhhooooo
Best Regards,
Pratul Agrawal

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]