[41353] in bugtraq
Re: XSS on Yahoo Mail
daemon@ATHENA.MIT.EDU (Personal Account)
Sat Nov 26 09:14:46 2005
From: Personal Account <jetflash@hotpop.com>
To: bugtraq@securityfocus.com
In-Reply-To: <20051123174434.63256.qmail@web53001.mail.yahoo.com>
Content-Type: text/plain; charset=ISO-8859-1
Message-Id: <1132795399.7506.2.camel@localhost>
Mime-Version: 1.0
Date: Wed, 23 Nov 2005 20:23:19 -0500
Content-Transfer-Encoding: 8bit
Doing mouse over shows the truth.
On Wed, 2005-11-23 at 12:44, Richard Fuchshuber wrote:
> Hi,
>
> I've noticed a strange behavior in "Yahoo! Mail" when dealing with html
> attachments. It's possible to insert data into the "Yahoo! Mail" html
> interface.
>
> For example, with the following code in an html attachment it's possible
> to insert "Your profile is out of date, please update clicking here" above
> the button "Check Mail".
>
> <?
> <TABLE border="1" cellspacing="1" cellpadding="0">
> <TR>Your profile is out of date, please update <a
> href="www.blabla.com">clicking here.</a></TR>
> </TABLE>
>
> I think this could be used in phishing scam.
>
> For a screenshot, see [1]. The circulated text was inserted into interface
> of the "Yahoo! Mail" through an email with the above code as an html
> attachment.
>
> I tried to contact "Yahoo!" several times, without success.
>
>
> [1] - http://richard.computeiro.com/yahoo_bug.jpg
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________________
> Yahoo! Acesso Grátis: Internet rápida e grátis.
> Instale o discador agora!
> http://br.acesso.yahoo.com/
>
