============================================
SEC-CONSULT Security Advisory 20050401 Yahoo/MSIE XSS
============================================
Product: Yahoo Webmail in combination with MSIE 6.0
Remarks: no other Versions tested but very likely vulnerable
Vulnerablities: XSS/Cookie-Theft
Vendor: Yahoo
Vendor-Status: vendor contacted (18.04.2005)
Vendor-Patchs: patched 01.05.2005 in production environment
Object: MSIE (unknown version)
Exploitable:
Local: ---
Remote: YES
============
Introduction
============
---
=====================
Vulnerability Details
=====================
1) XSS / Cookie-Theft
=====================
Yahoos blacklists fail to detect script-tags in combination with special characters like NULL-bytes.
This leavas Webmail users using MSIE vulnerable to typical XSS / Relogin-trojan / Phishing / Pharming attacks.
XSS Example
===========
Excerpt from HTML-mail:
---cut here---
Hola,<br><sc[NULL-Byte(0x00)]ript>alert(document.cookie)
</s[NULL-Byte(0x00)]cript><p>blaa</p>
---cut here---
Remarks:
MSIE Problem
===============
General remarks
===============
We would like to apologize in advance for potential nonconformities and/or known issues.
====================
Recommended hotfixes
====================
Vendor-Patches: ---
=======
Contact
=======
SEC-CONSULT
Austria / EUROPE
m.eiszner@sec-consult.com
EOF M.Eiszner / @2005mei@sec-consult.com