Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: XSS on Yahoo Mail

XSS on Yahoo Mail

From: Richard Fuchshuber <richardfuch_at_yahoo.com.br>
Date: Wed, 23 Nov 2005 14:44:34 -0300 (ART)

  Hi,

I've noticed a strange behavior in "Yahoo! Mail" when dealing with html
attachments. It's possible to insert data into the "Yahoo! Mail" html
interface.

For example, with the following code in an html attachment it's possible
to insert "Your profile is out of date, please update clicking here" above
the button "Check Mail".

<?
<TABLE border="1" cellspacing="1" cellpadding="0">
<TR>Your profile is out of date, please update <a
href="www.blabla.com">clicking here.</a></TR>
</TABLE>

I think this could be used in phishing scam.

For a screenshot, see [1]. The circulated text was inserted into interface
of the "Yahoo! Mail" through an email with the above code as an html
attachment.

I tried to contact "Yahoo!" several times, without success.

[1] - http://richard.computeiro.com/yahoo_bug.jpg

        

        
                
_______________________________________________________
Yahoo! Acesso Grátis: Internet rápida e grátis.
Instale o discador agora!
http://br.acesso.yahoo.com/
Received on Nov 23 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]