From full-disclosure  Wed Feb 12 16:04:02 2014
From: Jing Wang <justqdjing () gmail ! com>
Date: Wed, 12 Feb 2014 16:04:02 +0000
To: full-disclosure
Subject: [Full-disclosure] yahoo open redirect vulnerability full disclosur
Message-Id: <CAFWG0-ima9QqB0YVDT6+MCsCCDBHnQ93YaBxE8s=0g9+4_QBfA () mail ! gmail ! com>
X-MARC-Message: https://marc.info/?l=full-disclosure&m=139222168820963
MIME-Version: 1
Content-Type: multipart/mixed; boundary="--===============0001969164=="

--===============0001969164==
Content-Type: multipart/alternative; boundary=001a11c3d24eaf779d04f237b82e

--001a11c3d24eaf779d04f237b82e
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Dear Sir/Madam,

I am a student from NTU, Singapore. My name is Wang Jing. I just found a
yahoo open redirect vulnerability and reported it to yahoo 10 days ago.

However, yahoo did nothing about it.



The following is full disclosure. Attachment is prove of concept video. And
the link below is poc video I just posted on youtube.
http://www.youtube.com/watch?v=3DGTd1Gkj6OUY&feature=3Dyoutu.be


I just found one open url redirection vulnerability in yahoo.

This attacks doesn't even need users to login yahoo. My test is on all
browsers in all computer systems.

I use "poc of exploit" to denote that url redirection works.

Now I will use a website just built by me for the following tests. The
website is "http://www.tetraph.com". We can think this website is
malicious, because it is fully under my control.


vulnerable url:

http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N=
.AT94J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2=
pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsG=
MjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.facebook.com%2Fcamp=
aign%2Flanding.php%3Fcampaign_id%3D127305407328718


poc exploit:


http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N=
.AT94J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2=
pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsG=
MjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.google.com

http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N=
.AT94J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2=
pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsG=
MjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.tetraph.com


poc video:

http://www.youtube.com/watch?v=3DGTd1Gkj6OUY&feature=3Dyoutu.be

--001a11c3d24eaf779d04f237b82e
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div><div><span style=3D"font-family:arial,helvetica,sans-=
serif"><font>Dear Sir/Madam,<br><br>I
 am a student from NTU, Singapore. My name is Wang Jing. I just found a=20
yahoo open redirect vulnerability and reported it to yahoo 10 days ago.<br>

<br></font></span></div><div><span style=3D"font-family:arial,helvetica,san=
s-serif"><font>However, yahoo did nothing about it. <br><br><br><br></font>=
</span></div></div><span style=3D"font-family:arial,helvetica,sans-serif"><=
font>The
 following is full disclosure. Attachment is prove of concept video. And
 the link below is poc video I just posted on youtube.<br>

<a href=3D"http://www.youtube.com/watch?v=3DGTd1Gkj6OUY&amp;feature=3Dyoutu=
.be" target=3D"_blank">http://www.youtube.com/watch?v=3DGTd1Gkj6OUY&amp;fea=
ture=3Dyoutu.be</a><br><br><br>

</font></span><p><span style=3D"font-family:arial,helvetica,sans-serif"><fo=
nt>I just found one
open url redirection vulnerability in yahoo. <br>
<br>
This attacks doesn&#39;t even need users to login yahoo. My test is on all =
browsers
in all computer systems.<br>
<br>
I use &quot;poc of exploit&quot; to denote that url redirection works.<br>
<br>
Now I will use a website just built by me for the following tests. The webs=
ite
is &quot;<a href=3D"http://www.tetraph.com" target=3D"_blank">http://www.te=
traph.com</a>&quot;. We can think this website is malicious,
because it is fully under my control. <br></font></span></p><p><span style=
=3D"font-family:arial,helvetica,sans-serif"><font><br></font></span></p><p>=
<span style=3D"font-family:arial,helvetica,sans-serif"><font>vulnerable url=
:</font></span></p>





<p><span style=3D"font-family:arial,helvetica,sans-serif"><font>
<a href=3D"http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50m=
KGGEYXZp09N.AT94J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789=
R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTS=
pqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.facebook=
.com%2Fcampaign%2Flanding.php%3Fcampaign_id%3D127305407328718" target=3D"_b=
lank">http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEY=
XZp09N.AT94J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9=
tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu=
6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.facebook.com%=
2Fcampaign%2Flanding.php%3Fcampaign_id%3D127305407328718</a><br>






</font></span></p><p><span style=3D"font-family:arial,helvetica,sans-serif"=
><font><br></font></span></p><p><span style=3D"font-family:arial,helvetica,=
sans-serif"><font>poc exploit:</font></span></p><p>
<span style=3D"font-family:arial,helvetica,sans-serif"><font>
<a href=3D"http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50m=
KGGEYXZp09N.AT94J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789=
R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTS=
pqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.google.c=
om" target=3D"_blank">http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t=
8UZw0W4d50mKGGEYXZp09N.AT94J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOh=
TQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56847z2B9qH1mMMmLu9=
RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fw=
ww.google.com</a><br>






<br>
<a href=3D"http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50m=
KGGEYXZp09N.AT94J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789=
R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTS=
pqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.tetraph.=
com" target=3D"_blank">http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5=
t8UZw0W4d50mKGGEYXZp09N.AT94J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuO=
hTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56847z2B9qH1mMMmLu=
9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2F=
www.tetraph.com</a></font></span></p>





<p><span style=3D"font-family:arial,helvetica,sans-serif"><font><br></font>=
</span></p><p><span style=3D"font-family:arial,helvetica,sans-serif"><font>=
poc video:</font></span></p><p><span style=3D"font-family:arial,helvetica,s=
ans-serif"><font><a href=3D"http://www.youtube.com/watch?v=3DGTd1Gkj6OUY&am=
p;feature=3Dyoutu.be" target=3D"_blank">http://www.youtube.com/watch?v=3DGT=
d1Gkj6OUY&amp;feature=3Dyoutu.be</a></font></span></p>
</div>

--001a11c3d24eaf779d04f237b82e--


--===============0001969164==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============0001969164==--