Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com
From: Stefan Schurtz <sschurtz () t-online de>
Date: Sat, 08 Mar 2014 12:01:55 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jann,

you're right...bad description here (too much copy & paste) :)

The XSS is cookie-based, so you can find it in the cookie with the
payload.

Please see "&intl=dec52a6"-alert(document.domain)-"c8d9133635e;"

Kind regards,
Stefan

Am 08.03.2014 11:40, schrieb Jann Horn:
On Sat, Mar 08, 2014 at 11:24:03AM +0100, Stefan Schurtz wrote:
The 'intl'-Paramter on "https://de-mg42.mail.yahoo.com/"; is
prone to a Cross-site Scripting vulnerability [...] GET 
https://de-mg42.mail.yahoo.com/neo/launch?.rand=02j5el0e9m3mr

Host: de-mg42.mail.yahoo.com [...]

Uh, where is that intl parameter you speak of? the only parameter
I see here is .rand, which, as far as I know, just serves to 
circumvent caching. And where is the XSS payload?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlMa+J0ACgkQg3svV2LcbMCRLwCfR1L1XiqxEjnT4F8Z/MYJFbLS
KSoAnRQAMaK6woO866COwlK1kPsYaueu
=wg9L
-----END PGP SIGNATURE-----

Attachment: 0x62DC6CC0.asc
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]