Wednesday, April 26, 2006

Blogger.com, Monster.com XSS


Check out the advanced search with keyword
script alert(document.cookie); script

for monster.com[indian website, not tested in others] and for blogger, try posting with the text as shown above.

Voila!!!
The paranthesis have been removed by blogger.com as it doesnot permit html tags

Not sure if one can exploit the blogger.com bug.
Voila!!!
Anyway Xss is not such a big issue or is it?:-)...

$um$id

Wednesday, December 21, 2005

YAHOO BUGS

=====================>> Security Advisory <<=====================//



------------------------------ ------------------------------

---------
Multiple YAHOO BUGS
---------------------------------------------------------------------



--[ Author: Sumit Siddharth and Kishor Sonawane, NII Consulting (www.nii.co.in)

--[ Discovery Date: 07/12/2005

--[ Vendor Contacted: 07/12/2005

--[ vendor response: No response

--[Bug released: 21/12/2005

--[ Website: www.yahoo.com

--[ Severity: Low




YAHOO MAIL XSS BUG

A XSS bug was identified in YAHOO mail. We are not able to verify whether it is remotely exploitable, thus we will call it a bug.

Yahoo mail has a Yahoo Notepad feature. The same has options for maintaining folder(s). There exists an option to rename a folder. The prompt which appears allows any arbitrary script execution. However, we are still not able to verify if it is remotely exploitable.
Screen shot can be seen at the following links

1. http://www.nii.co.in/vuln/yahoo1.jpg
2. http://www.nii.co.in/vuln/yahoo2.jpg

---------------------------------------------------------------------

Yahoo mail URL injection/URL redirection:-


http://login.yahoo.com/config/login?.intl=us&.src=ym&.done=http%3a//google.com

The done parameter is not properly sanitized before returning the URL. Thus after successful validation the victim will be redirected to any URL (google here). This can then be followed by a phishing attack.

---------------------------------------------------------------------

Yahoo Videos URL Injection/URL Redirection:-


http://video.search.yahoo.com/video/view?&h=92&w=120&type=realmedia&rurl=www.cricketfundas.com%2Fmultimedia.htm&vurl=www.nii.co.in/index.html&back=p%3Dsachin%2Btendulkar%26ei%3DUTF-8%26fl%3D0%26cv%3Dg%26fr%3D%26b%3D21&turl=scd.mm-so.yimg.com%2Fimage%2F1791848075&name=tiedtest.ram&no=22&tt=24&p=sachin+tendulkar&dur=273

Note that the Play video can be made to point to any URL (www.nii.co.in here).This can be done to other parameters as well.

--------------------------------------------------------------------
Yahoo Multiple URL Redirection:-
eg. http://in.rd.yahoo.com//prop/?http://google.com
-------------------------------------------------------------------
Thanks
Sumit and Kishor

Wednesday, December 07, 2005

Yahoo Advisory

My Advisory for Yahoo redirection vulnerability ,made yahoo take immediate actions and within half an hour
the vulnerable links on the yahoo U.S servers were updated .
Read my advisory here.
SumSid

Friday, December 02, 2005

Security Focus Article

Check out my articles on SecurityFocus
Comments/Suggestions invited.
Thanks
Sumit

Wednesday, November 30, 2005

Advisories