RE: XSS on Yahoo MailNov 24 2005 10:41PM Richard Fuchshuber (richardfuch yahoo com br)
Hi,
--- Will Wesley <willwesleyccna (at) yahoo (dot) de [email concealed]> escreveu:
> This is not exactly a problem with Yahoo!, but rather
> a problem with the way browsers tend to render HTML
> when forced to deal with broken tags. Your "<?
> <table....> is not needed to accomplish the same
> thing, since a browser will consider everything from <
> to the next > as a tag. Since <? is not recognized the
> whole thing is ignored.
>
> The real problem is that you are injecting a TR
> element into the middle of a TD, then closing the
> table without first closing the TD. Any web developer
> who would do such a thing is a moron, and your browser
> does the best it can to make sense of it. You might
> try asking Yahoo how to turn HTML off, or simply use
> POP with a text only reader to work around this.
It isn't necessary to close the table, you just need the <tr></tr> part (I
had not noticed this before your mail). You can also use other tags to get
different results.
Anyway, I think that to prevent injection of HTML code into Yahoo! Mail
interface something should be done, since it could be used to fool users.
Cheers,
Richard
_______________________________________________________
Yahoo! Acesso Grátis: Internet rápida e grátis.
Instale o discador agora!
http://br.acesso.yahoo.com/
Hi,
--- Will Wesley <willwesleyccna (at) yahoo (dot) de [email concealed]> escreveu:
> This is not exactly a problem with Yahoo!, but rather
> a problem with the way browsers tend to render HTML
> when forced to deal with broken tags. Your "<?
> <table....> is not needed to accomplish the same
> thing, since a browser will consider everything from <
> to the next > as a tag. Since <? is not recognized the
> whole thing is ignored.
>
> The real problem is that you are injecting a TR
> element into the middle of a TD, then closing the
> table without first closing the TD. Any web developer
> who would do such a thing is a moron, and your browser
> does the best it can to make sense of it. You might
> try asking Yahoo how to turn HTML off, or simply use
> POP with a text only reader to work around this.
It isn't necessary to close the table, you just need the <tr></tr> part (I
had not noticed this before your mail). You can also use other tags to get
different results.
Anyway, I think that to prevent injection of HTML code into Yahoo! Mail
interface something should be done, since it could be used to fool users.
Cheers,
Richard
_______________________________________________________
Yahoo! Acesso Grátis: Internet rápida e grátis.
Instale o discador agora!
http://br.acesso.yahoo.com/
[ reply ]