Cheng Peng Su
24/04/06, 01:20
Adivisory Name : Yahoo! Mail XSS Vulnerability
Release Date : 2006.04.21
Application : Yahoo! web-based email service
Test On : Microsoft IE 6.0
Discover : Cheng Peng Su(applesoup_at_gmail.com)
Description:
Yahoo! Mail is one of the Internet's most popular web based email solutions=
..
Details:
This vulnerability is resulted from the failure of Yahoo! Mail's
filtering engine to
block "expression()" syntax in a CSS attribute using a comment to
break up expression,
and the comment symbol( /* */ ) must be hex encoded so that we can
bypass the filter.
An example:
<SPAN STYLE=3D"width:ex/* good */pression(alert());">Hello</SPAN>
the injected code inside the CSS attribute is responsible for
-Getting cookies.
-Potential web-based e-mail worm.
Vender status:
2006.04.01 Informed the vendor.
2006.04.03 The vendor confirmed the vulnerability.
2006.04.XX The vendor patched the vulnerability. ( They patched it silently=
)
Original advisory:
http://applesoup.googlepages.com/yahoo_mail_xss.txt
Release Date : 2006.04.21
Application : Yahoo! web-based email service
Test On : Microsoft IE 6.0
Discover : Cheng Peng Su(applesoup_at_gmail.com)
Description:
Yahoo! Mail is one of the Internet's most popular web based email solutions=
..
Details:
This vulnerability is resulted from the failure of Yahoo! Mail's
filtering engine to
block "expression()" syntax in a CSS attribute using a comment to
break up expression,
and the comment symbol( /* */ ) must be hex encoded so that we can
bypass the filter.
An example:
<SPAN STYLE=3D"width:ex/* good */pression(alert());">Hello</SPAN>
the injected code inside the CSS attribute is responsible for
-Getting cookies.
-Potential web-based e-mail worm.
Vender status:
2006.04.01 Informed the vendor.
2006.04.03 The vendor confirmed the vulnerability.
2006.04.XX The vendor patched the vulnerability. ( They patched it silently=
)
Original advisory:
http://applesoup.googlepages.com/yahoo_mail_xss.txt