Re: [Full-disclosure] [Argeniss] Alert - Yahoo! Webmail XSS

To: "Cesar" <cesarc56@xxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] [Argeniss] Alert - Yahoo! Webmail XSS
From: "Morning Wood" <se_cur_ity@xxxxxxxxxxx>
Date: Mon, 17 Apr 2006 20:34:16 -0700
Cc: <bugtraq@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20060417190234.20495.qmail@xxxxxxxxxxxxxxxxxxxxxxx>

reflecting on this...

the offending url you give is http://w00tynetwork.com/x/
which contains a fake yahoo login ( for webmail )
(( and other exploits embedded within the site ))


you state this is a Yahoo Email vulnerability.

stop me if im wrong...

why would anyone be vulnerable to a Yahoo login redirect phish, if in factthey are already logged in to read the mail in the first place.

i can appriciate the possibility of XSS within the Yahoo webmail interface,just not

with this particular redirect code ( or site url ) you provide.

XSS could be more effectivly used to leverage a browser exploit, rather than( trying to )

steal your credentals ala phishing

2cents,

MW

References:
- [Argeniss] Alert - Yahoo! Webmail XSS
  - From: Cesar

Prev by Date: Remote Xine Format String Vulnerability
Next by Date: Another flaw in Firefox 1.5.0.2: to open files from remote
Previous by thread: [Argeniss] Alert - Yahoo! Webmail XSS
Next by thread: Re: [Full-disclosure] [Argeniss] Alert - Yahoo! Webmail XSS
Index(es):
- Date
- Thread