Cross-site Scripting with Local Privilege Vulnerability in Yahoo Messenger
DESCRIPTION:
I?ve found a cross-site scripting vulnerability in Yahoo! Messenger, a popular
advertisement-supported instant messaging client and protocol provided by
Yahoo! Attacker can inject a malicious script with local privilege to Y!M
notification message.
The vulnerability is discovered in the chat dialog. The automatic notification
message of Yahoo! Messenger, for instance ?Hai Nam Luke has signed out.
(1/26/2007 10:03 PM)? or ?Hai Nam Luke has signed back in. (1/26/2007 10:04
PM)? can be easily exploited with injecting a malicious script to. Script is
disabled in chat messages but system notification messasage. That Yahoo
Messenger uses Internet Explorer to display messages, the malicious script will
be run with local privilege in the Internet Explorer Temporary Folder. This
serious vulnerability could allow attacker gain the victim?s system access.
Inject unexpected script also causes other Yahoo! Messenger?s errors.
AFFECTED VERSION:
Yahoo! Messenger 8.1.0.29 and previous versions
PROOF OF CONCEPT:
+ Firstname: Hai Nam Luke Hai Nam Luke Hai Nam Luke Hai Nam Luke ? ( as long as
victim cant see the lastname)
+ Lastname: <img src="javascript:alert('Executed from ' +
top.location)" >
+ Request to add victim ID to your contact list.
+ Once victim accepts your request, send him a message and change your online
status (Available -> Invisible)
This vulnerability was reported to Yahoo!
Hai Nam Luke <hainamluke@xxxxxxxxx>
K46A - NEU