Yahoo! Mail XSS Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Yahoo! Mail XSS Vulnerability
From: "Cheng Peng Su" <applesoup@xxxxxxxxx>
Date: Fri, 21 Apr 2006 19:16:01 +0800
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=hWpP0P0s5uEwg3y2xml8AaN4F48ZxSx4GFLcJqvZkcAGRqgLChuFFSoy0ppH8pWPtVyaBWyHnSH6zzmhKhIxQLqW27qQhOksmIWTHoAkUsya7DUHTApSy1VbMFAn2QysUCgFn5P4Wpf53rM6qlf/zfeHzrcmWNJF8b5waifKSEo=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Adivisory Name : Yahoo! Mail XSS Vulnerability
Release Date : 2006.04.21
Application : Yahoo! web-based email service
Test On : Microsoft IE 6.0
Discover : Cheng Peng Su(applesoup_at_gmail.com)

Description:

Yahoo! Mail is one of the Internet's most popular web based email solutions.

Details:

This vulnerability is resulted from the failure of Yahoo! Mail's
filtering engine to

block "expression()" syntax in a CSS attribute using a comment to
break up expression,

and the comment symbol( /* */ ) must be hex encoded so that we can
bypass the filter.

An example:

<SPAN STYLE="width:ex/* good *&#x2F;pression(alert());">Hello</SPAN>

the injected code inside the CSS attribute is responsible for

-Getting cookies.
-Potential web-based e-mail worm.

Vender status:

2006.04.01 Informed the vendor.
2006.04.03 The vendor confirmed the vulnerability.
2006.04.XX The vendor patched the vulnerability. ( They patched it silently )

Original advisory:

http://applesoup.googlepages.com/yahoo_mail_xss.txt

Prev by Date: Re: redirection vuln crawlers breed & security through obscurity
Next by Date: MSIE (mshtml.dll) OBJECT tag vulnerability
Previous by thread: FlexBB 0.5.5 Exploit [ function/showprofile.php ] Remote SQL Injection
Next by thread: MSIE (mshtml.dll) OBJECT tag vulnerability
Index(es):
- Date
- Thread