SecurityFocus

XSS on Yahoo Mail Nov 23 2005 05:44PM
Richard Fuchshuber (richardfuch yahoo com br) (2 replies)

RE: XSS on Yahoo Mail Nov 24 2005 02:50AM
Will Wesley (willwesleyccna yahoo de) (3 replies)

Re: XSS on Yahoo Mail Nov 25 2005 05:30PM
Steven Champeon (schampeo hesketh com) (1 replies)

Re: XSS on Yahoo Mail Nov 26 2005 12:00AM
Will Wesley (willwesleyccna yahoo de)

RE: XSS on Yahoo Mail Nov 24 2005 10:41PM
Richard Fuchshuber (richardfuch yahoo com br)

Re: XSS on Yahoo Mail Nov 24 2005 07:28PM
Jim Ley (jim jibbering com)

Re: XSS on Yahoo Mail Nov 24 2005 01:23AM
Personal Account (jetflash hotpop com)

Doing mouse over shows the truth.

On Wed, 2005-11-23 at 12:44, Richard Fuchshuber wrote:
> Hi,
>
> I've noticed a strange behavior in "Yahoo! Mail" when dealing with html
> attachments. It's possible to insert data into the "Yahoo! Mail" html
> interface.
>
> For example, with the following code in an html attachment it's possible
> to insert "Your profile is out of date, please update clicking here" above
> the button "Check Mail".
>
> <?
> <TABLE border="1" cellspacing="1" cellpadding="0">
> <TR>Your profile is out of date, please update <a
> href="www.blabla.com">clicking here.</a></TR>
> </TABLE>
>
> I think this could be used in phishing scam.
>
> For a screenshot, see [1]. The circulated text was inserted into interface
> of the "Yahoo! Mail" through an email with the above code as an html
> attachment.
>
> I tried to contact "Yahoo!" several times, without success.
>
>
> [1] - http://richard.computeiro.com/yahoo_bug.jpg
>
>
>
>
>
>
>
>
>
>
>
> _______________________________________________________
> Yahoo! Acesso Grátis: Internet rápida e grátis.
> Instale o discador agora!
> http://br.acesso.yahoo.com/
>

[ reply ]