|
|
| |
| Finjan has discovered a script injection vulnerability in Yahoo! Mail that allows a remote attacker to execute malicious scripts when the victim is reading his/her mail. |
| |
Credit:
The information has been provided by Rafel Ivgi, The-Insider.
|
| |
Yahoo s mobile code filtering mechanism is based on an active content filter whose purpose is to block the injection of any active content into Yahoo! messages. Yahoo s filter identifies any instance of the inline use of the JavaScript protocol (e.g. JavaScript: ) and upon identification adds an underscore before the j , thus creating an invalid protocol request. The above filtering algorithm can be bypassed by inserting encoded tab characters ( ) into the JavaScript string.
For example:
------------
< div style="background: url(j a v a
s c r i p t:alert());"></div>
Any tag that supports the style property can be used to call a JavaScript file. The injected JavaScript code could lead to:
* Automatic launching of malicious code
* Stealing the victim's password by using a spoofed re-login window
* Reading the victim's INBOX and contacts
* Sending an email message without any user authorization
Proof of Concept:
< div style="backgr
ound:ur
l(ja v a
sc r i p
t:alert());"></div>
Vulnerability Status:
Vendor was notified on Sep 8th, 2004. The bug is now fixed.
|
|
|
|
|
|
|
|
