Intro

Seems it’s time to disclose 21 zero day XSS on Yahoo.
I do not break any rules, any laws of any country (I hope lol) posting this to public (Yahoo officially said that they need only 90 days to rollout fix for any vuln, please visit https://hackerone.com/yahoo – Yahoo’s bugbounty rules). This vuln affect 21 different Yahoo domains and not fixed for a one year.

I reported this issue 9 months ago (https://hackerone.com/reports/77385), tried to bump it but no luck. They said that my report is dup of https://hackerone.com/reports/54625 (reported at ~march 2015).

Main purpose of this post – just pay attention of Yahoo security team to this ticket again (and finally fix!).

XSS

Facts:

  • Reflected
  • Works only in IE (tested in IE 10/Win 7; Should works in 7,8,9)
  • Bypassing IE XSS filter

Based on https://twitter.com/Black2Fan technique that helps to inject XSS payload into HOST header of user’s requests (read more here).

PoC: https://sergeybelove.ru/exploits/yahoo_ie.php (IE only! Just inject H1 tag)

Screen Shot 2015-07-21 at 10.54.58 PM

Screen Shot 2015-07-21 at 11.00.50 PM

This XSS caused is by balancer and… affect other domains! I wrote a simple scanner:

For mass checking and found that other domains (include flickr.com) also vulnerable:

Why 21? Some other domains like mail on first screen should to be checked manually.

One more fact: I added check for XSS thru HOST header to my small and free one-button-scan – http://sergeybelove.ru/one-button-scan/

P.S. I found exactly same vuln on wikipedia and they fixed it just in few days – feel the difference.

UPD: BlackFan twitted that he reported this issue 2 years ago! And it was a dup
H1 report by BlackFan

438 Total Views 6 Views Today

February 28th, 2016

Posted In: bugbounty

  • WKG

    You need to intercept the whole communication of the user to exploit a host header issue.

  • R3NW4

    can u give me Full link POC

    • sergeybelove

      Just read blogpost again and you will find everything.

      • R3NW4

        i have tested it and not worked with me.does it got patched?

        • sergeybelove

          Just checked – not patched – https://sergeybelove.ru/exploits/yahoo_ie.php
          What is your browser? IE? Version? OS?

          • R3NW4

            Iceweasel 3
            Linux ubuntu

            just give full link of a different domain with alert box

          • sergeybelove

            Did you read blogpost? This XSS works only under IE 5-10. (IE – Internet Explorer).

          • R3NW4

            wtf