[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Yahoo Toolbar YShortcut.dll IsTaggedBM() Buffer Overflow

To: "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Yahoo Toolbar YShortcut.dll IsTaggedBM() Buffer Overflow
From: Elazar Broad <elazarb@xxxxxxxxxxxxx>
Date: Wed, 19 Dec 2007 10:56:28 -0500 (EST)

YShortcut is a feature of the Yahoo toolbar which allows you to map shortcuts 
to URLS, i.e. y = http://www.yahoo.com and bla = http://www.somesite.com. The 
IsTaggedBM function is called every time anything is typed into the browsers 
address bar. This function suffers from an exploitable buffer overflow if 3000 
characters is passed to it. Instead of doing their own bounds checking, Yahoo 
relies on the 2083 maximum URL length for Internet Explorer. This object is NOT 
marked safe for scripting.

YShortcut.dll, version 2006.8.15.1 
{67CE97C5-ABE6-429A-B6BD-3BD1333A0825}

Elazar

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] CVE-2007-6244: Adobe Flash Player ActiveX Control Universal Cross-Site Scripting Vulnerability
Next by Date: [Full-disclosure] HP eSupportDiagnostics hpediags.dll Information Disclosure
Previous by thread: [Full-disclosure] CVE-2007-6244: Adobe Flash Player ActiveX Control Universal Cross-Site Scripting Vulnerability
Next by thread: [Full-disclosure] HP eSupportDiagnostics hpediags.dll Information Disclosure
Index(es):
- Date
- Thread