RE: XSS on Yahoo Mail

[Will Wesley <willwesleyccna () yahoo de>]

--- Richard Fuchshuber <richardfuch () yahoo com br>
schrieb:

>   Hi,
>
> I've noticed a strange behavior in "Yahoo! Mail"
> when dealing with html
> attachments. It's possible to insert data into the
> "Yahoo! Mail" html
> interface.
>
> For example, with the following code in an html
> attachment it's possible
> to insert "Your profile is out of date, please
> update clicking here" above
> the button "Check Mail".
>
> <?
> <TABLE border="1" cellspacing="1" cellpadding="0">
> <TR>Your profile is out of date, please update <a
> href="www.blabla.com">clicking here.</a></TR>
> </TABLE>
>
> I think this could be used in phishing scam.
>
> For a screenshot, see [1]. The circulated text was
> inserted into interface
> of the "Yahoo!  Mail" through an email  with the
> above code  as an html
> attachment.
>
> I tried to contact "Yahoo!" several times, without
> success.
>
> [1] - http://richard.computeiro.com/yahoo_bug.jpg

This is not exactly a problem with Yahoo!, but rather
a problem with the way browsers tend to render HTML
when forced to deal with broken tags. Your "<?
<table....> is not needed to accomplish the same
thing, since a browser will consider everything from <
to the next > as a tag. Since <? is not recognized the
whole thing is ignored.

The real problem is that you are injecting a TR
element into the middle of a TD, then closing the
table without first closing the TD. Any web developer
who would do such a thing is a moron, and your browser
does the best it can to make sense of it. You might
try asking Yahoo how to turn HTML off, or simply use
POP with a text only reader to work around this.

- Will Wesley, BSCS
http://wieso.blogdrive.com



        

        
                
___________________________________________________________ 
Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de