SEC-CONSULT Security Advisory 20050401 Yahoo/MSIE XSS

============================================

 

SEC-CONSULT Security Advisory 20050401 Yahoo/MSIE XSS

 

============================================

 

Product: Yahoo Webmail in combination with MSIE 6.0

 

Remarks: no other Versions tested but very likely vulnerable

 

Vulnerablities: XSS/Cookie-Theft

 

Vendor: Yahoo

 

Vendor-Status: vendor contacted (18.04.2005)

 

Vendor-Patchs: patched 01.05.2005 in production environment

 

Object: MSIE (unknown version)

 

Exploitable:

 

Local: ---

 

Remote: YES

 

============

 

Introduction

 

============

 

---

 

=====================

 

Vulnerability Details

 

=====================

 

1) XSS / Cookie-Theft

 

=====================

 

Yahoos blacklists fail to detect script-tags in combination with special characters like NULL-bytes.

 

This leavas Webmail users using MSIE vulnerable to typical XSS / Relogin-trojan / Phishing / Pharming attacks.

 

XSS Example

 

===========

 

Excerpt from HTML-mail:

---cut here---

Hola,<br><sc[NULL-Byte(0x00)]ript>alert(document.cookie)
</s[NULL-Byte(0x00)]cript><p>blaa</p>

---cut here---

 

Remarks:

 

MSIE Problem

 

===============

 

General remarks

 

===============

 

We would like to apologize in advance for potential nonconformities and/or known issues.

 

====================

 

Recommended hotfixes

 

====================

 

Vendor-Patches: ---

 

=======

 

Contact

 

=======

 

SEC-CONSULT

 

Austria / EUROPE

 

m.eiszner@sec-consult.com

 

EOF M.Eiszner / @2005mei@sec-consult.com