This is the report I sent to securityfocus. I’m gonna post about writing an XSS worm using this security hole in the next few days. It’s too lengthy to be covered in one single post. So this tutorial probably contains 2-3 parts. Right now, I’m quite busy with my summer classes but I hope I have it finished in time.
Application : Yahoo!360 Social networking site.
Release Date : June 13th 2008
Introduction:
Yahoo! 360° , introduced in 2005, is a personal communication portal operated by Yahoo!.
360° includes social networking, blogging, and photo sharing services.
Users can create personal web sites, share photos from Yahoo! Photos, maintain blogs, lists of local reviews, supply profile information, and see which friends are currently online.
Vulnerability:
Yahoo! 360 is vulnerable to Cross site scripting.
Discussion:
Yahoo! 360 has its built-in html filter which allows only html tags in their white-list to be displayed to the users. In addition, the string “javascript” is stripped out immediately if appears anywhere between ‘<‘ and ‘>’. This mechanism helps preventing dangerous script injected by the malicious users.
However, the filter does not remove variants of the original “javascript” string such as: “JavaScript”, “JAVASCRIPT” and etc.. Unfortunately, in some versions of IE (IE 6.0.x), these variants are treated equally as the normal “javascript”. Therefore, hackers can take advantage of this bug to execute evil javascript code to create blog, send messages and spread XSS worm with user identity. The possibility is endless.
Exploit:
Compose a new entry by going to:
http://blog.360.yahoo.com/blog/compose.html
Sample of an entry injected with hidden javascript code:
[HTML CODE]
<table background=JavaScript:alert(123)><tbody>Blogcontent</tbody><table>
[HTMLCODE]
Author: Duong Thanh – Knight4vn (knightvn {at} gmail {dot} com)
a small place to share your BIG knowledge 
Leave a comment