Cenzic 232 Patent
Paid Advertising
web application security lab

Multiple Yahoo XSS vulnerabilities

Rajesh Sethumadhavan just published a number of XSS and other vulnerabilities in Yahoo. Unfortunately, none of these are useful to launch other attacks against Yahoo’s Ajax infrastruture the way they are built. The ones that use yimg (click here for an example in IE and then click on the banner once it loads). The problem is that yimg is not on the same domain as yahoo.com.

For AJAX to work (at least these particular attacks that I have in mind) the domain has to be the same, so finding an XSS in yahoo.com proper is far more useful to launch these types of attacks.  The ones against Yahoo mail don’t seem to be remotely exploitable from what I can tell (like the yimg one above) but those would be ideal.  But regardless, Rajesh did a great job finding them!

5 Responses to “Multiple Yahoo XSS vulnerabilities”

  1. backbone Says:

    to “steal” the password from a yahoo user you could use the table xss exploit… found in february as i remember corectly… which wasn’t fixed because yahoo sad it isnt’ a yahoo vulnerability, just a browser parsing error… then through social engeeniring they will click it… and if lucky they will use IE, so with the address bar spoofing tehnique redirect them to a website which is a clone of yahoo…

    http://www.securityfocus.com/archive/1/417552/30/0/threaded
    http://www.darknet.org.uk/2006/04/ie-address-bar-spoofing/

    get a yahoo page clone from
    http://library.2ya.com/

  2. RSnake Says:

    Thanks, backbone, but neither of these will do the job… I need to actually introduce JavaScript (and actually an Ajaxy script at that) to take advantage of the issue. It can’t be in mail.yahoo.com, but www.yahoo.com in particular. It’s a pretty specific issue, actually.

  3. Cheng Peng Su Says:

    Google this:
    inurl:swf clicktag site:yahoo.com

    and I find:
    http://kr.java.yahoo.com/adv/yahoo/goodsplaza_0926_sky.swf?clickTAG=javascript:alert();

  4. RSnake Says:

    That’s a very good example, Cheng, thank you. Unfortunately, because of the same origin policy it won’t work. Yahoo does a redirect from yahoo.com to www.yahoo.com. It would have to be on www.yahoo.com exactly for this to work. But keep `em coming!

  5. dxe Says:

    A xss via yahoo…

    http://astrology.yahoo.com/editmy?.myedit=1&.done=”>

    I had to use http://tinyurl.com to actually execute this.

    The user must be logged in to view the page.

    my means of contact are via

    AimSN = Dxe

    email= Dxemail@ml1.net