<br clear="all">
<p>//=====================>> Security Advisory
<<=====================//<br>
<br>
<br>
<br>
------------------------------ </p>
<p style="margin-bottom: 12pt;">---------------------------------------<br>
Multiple YAHOO BUGS<br>
---------------------------------------------------------------------<br>
<br>
<br>
<br>
--[ Author: Sumit Siddharth and Kishor Sonawane, NII Consulting (<a href="http://www.nii.co.in/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">www.nii.co.in</a>)<br>
<br>
--[ Discovery Date: 07/12/2005<br>
<br>
--[ Vendor Contacted: 07/12/2005<br>
<br>
--[ vendor response: No response<br>
<br>
--[Bug released: 21/12/2005<br>
<br>
--[ Website: <a href="http://www.yahoo.com/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">www.yahoo.com</a><br>
<br>
--[ Severity: Low<br>
<br>
<br>
<br>
<br>
<b>YAHOO MAIL XSS BUG</b><br>
<br>
A XSS bug was identified in YAHOO mail. We are not able to verify whether
it is remotely exploitable, thus we will call it a bug.<br>
<br>
Yahoo mail has a <b>Yahoo Notepad</b> feature. The same has options for
maintaining folder(s). There exists an option to rename a folder. The prompt
which appears allows any arbitrary script execution. However, we are still not
able to verify if it is remotely exploitable.<br>
Screen shot can be seen at the following links<br>
<br>
1. <a href="http://www.nii.co.in/vuln/yahoo1.jpg" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.nii.co.in/vuln/yahoo1.jpg</a><br>
2. <a href="http://www.nii.co.in/vuln/yahoo2.jpg" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.nii.co.in/vuln/yahoo2.jpg</a><br>
<br>
---------------------------------------------------------------------<br>
<b><br>
Yahoo mail URL injection/URL redirection:-</b><br>
<br>
<a href="http://login.yahoo.com/config/login?.intl=us&.src=ym&.done=http%3a//google.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://login.yahoo.com/config/login?.intl=us&.src=ym&.done=http%3a//google.com
</a><br>
<br>
The done parameter is not properly sanitized before returning the URL. Thus
after successful validation the victim will be redirected to any URL
(google here). This can then be followed by a phishing attack.<br>
<br>
---------------------------------------------------------------------<br>
<br>
<b>Yahoo Videos URL Injection/URL Redirection:-</b><br>
<br>
<br>
<a href="http://video.search.yahoo.com/video/view?&h=92&w=120&type=realmedia&rurl=www.cricketfundas.com%2Fmultimedia.htm&vurl=www.nii.co.in/index.html&back=p%3Dsachin%2Btendulkar%26ei%3DUTF-8%26fl%3D0%26cv%3Dg%26fr%3D%26b%3D21&turl=scd.mm-so.yimg.com%2Fimage%2F1791848075&name=tiedtest.ram&no=22&tt=24&p=sachin+tendulkar&dur=273" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">
http://video.search.yahoo.com/video/view?&h=92&w=120&type=realmedia&rurl=www.cricketfundas.com%2Fmultimedia.htm&vurl=www.nii.co.in/index.html&back=p%3Dsachin%2Btendulkar%26ei%3DUTF-8%26fl%3D0%26cv%3Dg%26fr%3D%26b%3D21&turl=scd.mm-so.yimg.com%2Fimage%2F1791848075&name=tiedtest.ram&no=22&tt=24&p=sachin+tendulkar&dur=273
</a><br>
<br>
Note that the Play video can be made to point to any URL (<a href="http://www.nii.co.in/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">www.nii.co.in</a> here).This can be done to other
parameters as well.<br>
<br>
--------------------------------------------------------------------<br>
<b>Yahoo Multiple URL Redirection:-</b><br>
eg. <a href="http://in.rd.yahoo.com/prop/?http://google.com" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://in.rd.yahoo.com//prop/?http://google.com</a><br>
-------------------------------------------------------------------<br>
Thanks<br>
Sumit and Kishor<br>
<br clear="all">
<br>
-- <br>
<br>
Sumit Siddharth<br>
Information Security Analyst<br>
NII Consulting<br>
Web: <a href="http://www.nii.co.in/" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">www.nii.co.in </a><br>
------------------------------------<br>
NII Security Advisories <br>
<a href="http://www.nii.co.in/resources/advisories.html" target="_blank" onclick="return top.js.OpenExtLink(window,event,this)">http://www.nii.co.in/resources/advisories.html</a><br>
------------------------------------ <br>
<br>
</p>