[Full-disclosure] Yahoo Toolbar YShortcut.dll IsTaggedBM() Buffer Overflow
Elazar Broad
elazarb at earthlink.net
Wed Dec 19 15:56:28 GMT 2007
YShortcut is a feature of the Yahoo toolbar which allows you to map shortcuts to URLS, i.e. y = http://www.yahoo.com and bla = http://www.somesite.com. The IsTaggedBM function is called every time anything is typed into the browsers address bar. This function suffers from an exploitable buffer overflow if 3000 characters is passed to it. Instead of doing their own bounds checking, Yahoo relies on the 2083 maximum URL length for Internet Explorer. This object is NOT marked safe for scripting.
YShortcut.dll, version 2006.8.15.1
{67CE97C5-ABE6-429A-B6BD-3BD1333A0825}
Elazar
Full-Disclosure is hosted and sponsored by Secunia.