a small place to share your BIG knowledge

June 14, 2008

Yahoo! 360 XSS Vulnerability

Filed under: Uncategorized — knight4vn @ 5:57 pm
Tags: , , , ,

This is the report I sent to securityfocus. I’m gonna post about writing an XSS worm using this security hole in the next few days. It’s too lengthy to be covered in one single post. So this tutorial probably contains 2-3 parts. Right now, I’m quite busy with my summer classes but I hope I have it finished in time.

Application : Yahoo!360 Social networking site.

Release Date : June 13th 2008


Introduction:

Yahoo! 360° , introduced in 2005, is a personal communication portal operated by Yahoo!.

360° includes social networking, blogging, and photo sharing services.

Users can create personal web sites, share photos from Yahoo! Photos, maintain blogs, lists of local reviews, supply profile information, and see which friends are currently online.


Vulnerability:

Yahoo! 360 is vulnerable to Cross site scripting.


Discussion:

Yahoo! 360 has its built-in html filter which allows only html tags in their white-list to be displayed to the users. In addition, the string “javascript” is stripped out immediately if appears anywhere between ‘<‘ and ‘>’. This mechanism helps preventing dangerous script injected by the malicious users.

However, the filter does not remove variants of the original “javascript” string such as: “JavaScript”, “JAVASCRIPT” and etc.. Unfortunately, in some versions of IE (IE 6.0.x), these variants are treated equally as the normal “javascript”. Therefore, hackers can take advantage of this bug to execute evil javascript code to create blog, send messages and spread XSS worm with user identity. The possibility is endless.


Exploit:

Compose a new entry by going to:

http://blog.360.yahoo.com/blog/compose.html


Sample of an entry injected with hidden javascript code:

[HTML CODE]

<table background=JavaScript:alert(123)><tbody>Blogcontent</tbody><table>

[HTMLCODE]


Author: Duong ThanhKnight4vn (knightvn {at} gmail {dot} com)

Advertisements

Leave a Comment »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.

%d bloggers like this: