Full Disclosure mailing list archives
Re: [Argeniss] Alert - Yahoo! Webmail XSS
From: Cesar <cesarc56 () yahoo com>
Date: Tue, 18 Apr 2006 07:32:58 -0700 (PDT)
It's a Yahoo! Mail XSS vulnerability. The XSS exploit was really cool, I could identify that something was wrong because IE status bar displayed for a couple of seconds a weird URL, address bar didn't change (MS please change this behaviour!), but you can be sure that with this exploit 99% of people would bite. Yahoo! Mail once in a while will ask you to re login again so it's not so anormal. The exploit could have been crafted better if it have displayed some message about session time out or something and not just redirecting to login page without any message. I guess they wanted my password for trying on other accounts. Cesar. Morning Wood wrote:
reflecting on this... the offending url you give is
http://w00tynetwork.com/x/
which contains a fake yahoo login ( for webmail ) (( and other exploits embedded within the site )) you state this is a Yahoo Email vulnerability. stop me if im wrong... why would anyone be vulnerable to a Yahoo login
redirect phish, if in
fact they are already logged in to read the mail in
the first place. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [Argeniss] Alert - Yahoo! Webmail XSS Cesar (Apr 17)
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Morning Wood (Apr 17)
- Message not available
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Response Team (Apr 17)
- Message not available
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Morning Wood (Apr 17)
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Morning Wood (Apr 17)
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Dave "No, not that one" Korn (Apr 18)
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Cesar (Apr 18)
- Re[2]: [Argeniss] Alert - Yahoo! Webmail XSS Thierry Zoller (Apr 18)
- Re: Re[2]: [Argeniss] Alert - Yahoo! Webmail XSS Cesar (Apr 18)
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Morning Wood (Apr 18)
- Re: [Argeniss] Alert - Yahoo! Webmail XSS Neil Davis (Apr 18)
- Re[2]: [Argeniss] Alert - Yahoo! Webmail XSS Thierry Zoller (Apr 18)