Back to list
Cross-site Scripting with Local Privilege Vulnerability in Yahoo Messenger
Jan 26 2007 03:26PM
hainamluke yahoo com
RE: Cross-site Scripting with Local Privilege Vulnerability in Yahoo Messenger
Jan 27 2007 09:26PM
Ahmed Sheipani (sheipani gmail com)
Re: Cross-site Scripting with Local Privilege Vulnerability in Yahoo Messenger
Jan 27 2007 07:43PM
3B.Security Researcher (3b maillist gmail com)
Bingo! It works on the Y!messenger version 18.104.22.168 and have verified
it on my setup.
Quite strange indeed! Good finding ;) Let us see if it can be "really"
On 1/28/07, Ahmed Sheipani <sheipani (at) gmail (dot) com [email concealed]> wrote:
> I have just tested this with Yahoo! Messenger 22.214.171.124 , and it does not
> seem to work..
> However, I noticed that after setting the FirstName parameter to a very long
> one, the automatic notification message does not appear anymore.
> -----Original Message-----
> From: hainamluke (at) yahoo (dot) com [email concealed] [mailto:hainamluke (at) yahoo (dot) com [email concealed]]
> Sent: Friday, January 26, 2007 7:27 AM
> To: bugtraq (at) securityfocus (dot) com [email concealed]
> Subject: Cross-site Scripting with Local Privilege Vulnerability in Yahoo
> Importance: High
> I've found a cross-site scripting vulnerability in Yahoo! Messenger, a
> popular advertisement-supported instant messaging client and protocol
> provided by Yahoo! Attacker can inject a malicious script with local
> privilege to Y!M notification message.
> The vulnerability is discovered in the chat dialog. The automatic
> notification message of Yahoo! Messenger, for instance "Hai Nam Luke has
> signed out. (1/26/2007 10:03 PM)" or "Hai Nam Luke has signed back in.
> (1/26/2007 10:04 PM)" can be easily exploited with injecting a malicious
> script to. Script is disabled in chat messages but system notification
> messasage. That Yahoo Messenger uses Internet Explorer to display messages,
> the malicious script will be run with local privilege in the Internet
> Explorer Temporary Folder. This serious vulnerability could allow attacker
> gain the victim's system access.
> Inject unexpected script also causes other Yahoo! Messenger's errors.
> AFFECTED VERSION:
> Yahoo! Messenger 126.96.36.199 and previous versions
> PROOF OF CONCEPT:
> + Firstname: Hai Nam Luke Hai Nam Luke Hai Nam Luke Hai Nam Luke . ( as long
> as victim cant see the lastname)
> top.location)" >
> + Request to add victim ID to your contact list.
> + Once victim accepts your request, send him a message and change your
> online status (Available -> Invisible)
> This vulnerability was reported to Yahoo!
> Hai Nam Luke <hainamluke (at) yahoo (dot) com [email concealed]>
> K46A - NEU
[ reply ]
Copyright 2010, SecurityFocus