Yahoo! Mail Cross Site Scripting

`Title: Yahoo mail Dom Based Cross Site Scripting  
  
Author: Pratul Agrawal <pratulag[at]yahoo[dot]com>  
Date: 13/06/2010  
Indian Hacker  
  
Service: Webmail  
  
Vendor: Yahoo mail, and possibly others  
  
Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks  
  
Severity: High  
  
Tested on: Microsoft IE 7.0  
  
Details:  
  
Yahoo mail filter fails to detect script attributes in combination with  
the style attribute as a tag, leaving everyone using yahoo mail service  
with MSIE vulnerable to Cross Site Scripting including Cookie Theft and  
relogin attacks. This is a high risk security vulnerability because the  
attacker wont have to make the victim click on any link, all he/she has  
to do is to send the javascript code as an html email to the target and  
once the victim open the email the malicious code will be executed in  
his/her browser.  
  
Impact:  
  
This is totally a dom based xss attack. an application takes the user suplied data and directly feed it into the API designed to show the Newly created folder name n the yahoomail. Throug this an attacker can easily perform a cookie theft attack, Site defacement attack and many more.  
  
Steps of Exploit code:  
  
1. Login the yahoomail with valid credentials.  
  
2. Click on inbox.  
  
3. Now click on Move to < create New Folder.  
  
4. Now enter the javascript "><script>alert('yahoo sucks!')</script> in the field given for creating new folder.  
  
5. Press OK and the script get executed. yahhhhooooo  
  
HuReee hUreYYYY  
  
`