Bugtraq mailing list archives
Re: Remote crashes in Yahoo messenger
From: Chris Bisnett <wav_boy2 () yahoo com>
Date: Fri, 22 Feb 2002 18:06:51 -0800 (PST)
I would also like to point out that messenger sends the password in clear text. I don't know if that has been said before and if it has i'm sorry --- Scott Woodward <scott () phoenixtechie com> wrote:
All versions of Yahoo messenger version 5. Listens on port 5101 on client machine. (obviously to offload server traffic for IMs) problems: (for all of the problems listed below, the traffic is sent to the yahoo messenger opened port, 5101) 1. One can crash yahoo messenger by overflowing the message field in the yahoo protocol. 2. One can crash yahoo messenger by overflowing the IMvironment field in the yahoo protocol. 3. One can send a message as a spoofed name. 4. One can send many many messages from different names, flooding the person. 5. One can add a person to their buddy list (without their consent even), then message them a few times and that persons IP address will be sent in a message over yahoo's server. I would imagine there are many many more security problems to be found.
__________________________________________________ Do You Yahoo!? Yahoo! Sports - Coverage of the 2002 Olympic Games http://sports.yahoo.com
Current thread:
- Remote crashes in Yahoo messenger Scott Woodward (Feb 22)
- Re: Remote crashes in Yahoo messenger Chris Bisnett (Feb 25)
- <Possible follow-ups>
- Re: Re: Remote crashes in Yahoo messenger Chris Bisnett (Feb 25)