[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] yahoo open redirect vulnerability full disclosur
From: Ronny Vasquez <ronny.vasquezgt () gmail ! com>
Date: 2014-02-13 14:35:10
Message-ID: CAEvPn0g-crFhguq=mtQyJMi2YKKk4zsV4WRdiOjQwFM5ROp1pg () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi,
Works with an Add url that's not expire, when the add is replaced with
another one the exploit don't work, but nice vulnerability that you find.
On Wed, Feb 12, 2014 at 10:04 AM, Jing Wang <justqdjing@gmail.com> wrote:
> Dear Sir/Madam,
>
> I am a student from NTU, Singapore. My name is Wang Jing. I just found a
> yahoo open redirect vulnerability and reported it to yahoo 10 days ago.
>
> However, yahoo did nothing about it.
>
>
>
> The following is full disclosure. Attachment is prove of concept video.
> And the link below is poc video I just posted on youtube.
> http://www.youtube.com/watch?v=GTd1Gkj6OUY&feature=youtu.be
>
>
> I just found one open url redirection vulnerability in yahoo.
>
> This attacks doesn't even need users to login yahoo. My test is on all
> browsers in all computer systems.
>
> I use "poc of exploit" to denote that url redirection works.
>
> Now I will use a website just built by me for the following tests. The
> website is "http://www.tetraph.com". We can think this website is
> malicious, because it is fully under my control.
>
>
> vulnerable url:
>
>
> http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N.AT94J5zLvceYBCF9Ut \
> V2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa5684 \
> 7z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.facebook.com%2Fcampaign%2Flanding.php%3Fcampaign_id%3D127305407328718
>
>
> poc exploit:
>
>
> http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N.AT94J5zLvceYBCF9Ut \
> V2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa5684 \
> 7z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.google.com
>
>
> http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N.AT94J5zLvceYBCF9Ut \
> V2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa5684 \
> 7z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.tetraph.com
>
>
> poc video:
>
> http://www.youtube.com/watch?v=GTd1Gkj6OUY&feature=youtu.be
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
Atentamente,
Ronny Vasquez
IT Security Advisor.
[Attachment #5 (text/html)]
<div dir="ltr">Hi,<div><br></div><div>Works with an Add url that's not expire, when the add \
is replaced with another one the exploit don't work, but nice vulnerability that you \
find.</div></div><div class="gmail_extra"> <br><br><div class="gmail_quote">On Wed, Feb 12, \
2014 at 10:04 AM, Jing Wang <span dir="ltr"><<a href="mailto:justqdjing@gmail.com" \
target="_blank">justqdjing@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" \
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div \
dir="ltr"><div><div><span style="font-family:arial,helvetica,sans-serif"><font>Dear \
Sir/Madam,<br><br>I am a student from NTU, Singapore. My name is Wang Jing. I just found a
yahoo open redirect vulnerability and reported it to yahoo 10 days ago.<br>
<br></font></span></div><div><span \
style="font-family:arial,helvetica,sans-serif"><font>However, yahoo did nothing about it. \
<br><br><br><br></font></span></div></div><span \
style="font-family:arial,helvetica,sans-serif"><font>The following is full disclosure. \
Attachment is prove of concept video. And the link below is poc video I just posted on \
youtube.<br>
<a href="http://www.youtube.com/watch?v=GTd1Gkj6OUY&feature=youtu.be" \
target="_blank">http://www.youtube.com/watch?v=GTd1Gkj6OUY&feature=youtu.be</a><br><br><br>
</font></span><p><span style="font-family:arial,helvetica,sans-serif"><font>I just found one
open url redirection vulnerability in yahoo. <br>
<br>
This attacks doesn't even need users to login yahoo. My test is on all browsers
in all computer systems.<br>
<br>
I use "poc of exploit" to denote that url redirection works.<br>
<br>
Now I will use a website just built by me for the following tests. The website
is "<a href="http://www.tetraph.com" target="_blank">http://www.tetraph.com</a>". We \
can think this website is malicious, because it is fully under my control. \
<br></font></span></p><p><span \
style="font-family:arial,helvetica,sans-serif"><font><br></font></span></p><p><span \
style="font-family:arial,helvetica,sans-serif"><font>vulnerable url:</font></span></p>
<p><span style="font-family:arial,helvetica,sans-serif"><font>
<a href="http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N.AT94J5zLvce \
YBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITG \
a56847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.facebook.com%2Fcampaign%2Flanding.php%3Fcampaign_id%3D127305407328718" \
target="_blank">http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N.AT94 \
J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6 \
F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A% \
2F%2Fwww.facebook.com%2Fcampaign%2Flanding.php%3Fcampaign_id%3D127305407328718</a><br>
</font></span></p><p><span \
style="font-family:arial,helvetica,sans-serif"><font><br></font></span></p><p><span \
style="font-family:arial,helvetica,sans-serif"><font>poc exploit:</font></span></p><p> <span \
style="font-family:arial,helvetica,sans-serif"><font> <a \
href="http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N.AT94J5zLvceYBC \
F9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITGa56 \
847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.google.com" \
target="_blank">http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N.AT94 \
J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6 \
F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.google.com</a><br>
<br>
<a href="http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N.AT94J5zLvce \
YBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6F.wnITG \
a56847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.tetraph.com" \
target="_blank">http://ads.yahoo.com/clk?3,eJyti18LgjAUxb-QD246p4we5t8UZw0W4d50mKGGEYXZp09N.AT94 \
J5zLvceYBCF9UtV2QgrZakSlgSYhrKLElVloemEEAPbEJuOhTQ6k0nIB789R9Rd9tToJV2pp3Frb8lHe9Z9cD-8KP-d3yxz6 \
F.wnITGa56847z2B9qH1mMMmLu9RTHKxQlKkTSpqEEu6JOJsGMjuLKPbFPR3aQvGyZiJP0W5Hxr7jRN.wKrBU.A,http%3A%2F%2Fwww.tetraph.com</a></font></span></p>
<p><span style="font-family:arial,helvetica,sans-serif"><font><br></font></span></p><p><span \
style="font-family:arial,helvetica,sans-serif"><font>poc video:</font></span></p><p><span \
style="font-family:arial,helvetica,sans-serif"><font><a \
href="http://www.youtube.com/watch?v=GTd1Gkj6OUY&feature=youtu.be" \
target="_blank">http://www.youtube.com/watch?v=GTd1Gkj6OUY&feature=youtu.be</a></font></span></p>
</div>
<br>_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" \
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br> Hosted and \
sponsored by Secunia - <a href="http://secunia.com/" \
target="_blank">http://secunia.com/</a><br></blockquote></div><br><br \
clear="all"><div><br></div>-- <br><div dir="ltr"><div>Atentamente,</div>Ronny Vasquez<br> \
<div>IT Security Advisor. </div></div>
</div>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic