Full Disclosure: Re: Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com

Nmap Security Scanner
- Intro
- Ref Guide
- Install Guide
- Download
- Changelog
- Book
- Docs
Security Lists
- Nmap Hackers
- Nmap Dev
- Bugtraq
- Full Disclosure
- Pen Test
- Basics
- More
Security Tools
Site News
Advertising
About/Contact
Sponsors:

Re: Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com

From: Stefan Schurtz <sschurtz () t-online de>
Date: Sat, 08 Mar 2014 12:01:55 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Jann,

you're right...bad description here (too much copy & paste) :)

The XSS is cookie-based, so you can find it in the cookie with the
payload.

Please see "&intl=dec52a6"-alert(document.domain)-"c8d9133635e;"

Kind regards,
Stefan

Am 08.03.2014 11:40, schrieb Jann Horn:

On Sat, Mar 08, 2014 at 11:24:03AM +0100, Stefan Schurtz wrote:

The 'intl'-Paramter on "https://de-mg42.mail.yahoo.com/"; is
prone to a Cross-site Scripting vulnerability [...] GET 
https://de-mg42.mail.yahoo.com/neo/launch?.rand=02j5el0e9m3mr

Host: de-mg42.mail.yahoo.com [...]


Uh, where is that intl parameter you speak of? the only parameter
I see here is .rand, which, as far as I know, just serves to 
circumvent caching. And where is the XSS payload?


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlMa+J0ACgkQg3svV2LcbMCRLwCfR1L1XiqxEjnT4F8Z/MYJFbLS
KSoAnRQAMaK6woO866COwlK1kPsYaueu
=wg9L
-----END PGP SIGNATURE-----

Attachment: 0x62DC6CC0.asc
Description:

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com Stefan Schurtz (Mar 08)
- Message not available
  - Re: Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com Stefan Schurtz (Mar 08)