[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [BMSA 2009-05] Cross Site Request Forgery in Yahoo! 360plus

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] [BMSA 2009-05] Cross Site Request Forgery in Yahoo! 360plus
From: Nam Nguyen <namn@xxxxxxxxxxxxxxx>
Date: Wed, 10 Jun 2009 13:08:41 +0700

BLUE MOON SECURITY ADVISORY 2009-05
===================================


:Title: Cross Site Request Forgery in Yahoo! 360plus
:Severity: Moderate
:Reporter: Thinh Q. Hoang and Blue Moon Consulting
:Products: Yahoo! 360plus
:Fixed in: --


Description
-----------

We could not find out the definitive description for Yahoo! 360plus from Yahoo! 
website. This is our own understanding of the application: Yahoo! 360plus is a 
blogging service.

We have discovered a Cross Site Request Forgery vulnerability in Yahoo! 
360plus. The attacker could force an unknowning user to remove all her avatars 
by visiting a specially crafted page while her Yahoo! 360plus session is still 
valid.

This problem is similar to the one that allowed removal of user comments in 
Yahoo! 360 (the older version of Yahoo! 360plus). The link to avatar deletion 
is, in the case of Yahoo! 360plus Vietnam, 
``http://vn.blog.yahoo.com/setup/profile_photo.php?act=del&prf_photo=1`` where 
``prf_photo`` could be ``1``, ``2``, ``3``, or ``4``. Unlike other actions 
where a ``crumb`` token is required, this action does not require any token and 
hence suffers from a CSRF vulnerability.

Workaround
----------

Users of Yahoo! 360plus service should only login to make modifications and 
logout immediately when done.

Fix
---

There is no fix at the moment.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 
<http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

  June 02, 2009: Initial security alert sent to security@xxxxxxxxxxxxx

:Vendor response:

  --

:Further communication:

  --

:Public disclosure: June 10, 2009

:Exploit code:

  No exploit code required.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty 
of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either 
express or implied, including the warranties of merchantability and fitness for 
a particular purpose. Your use of the information on the advisory or materials 
linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd 
reserves the right to change or update this notice at any time.

Cheers
-- 
Nam Nguyen
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn

Attachment: pgpy2047xXvog.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Blog Security Research - Taking almost 2k blogs to a security test
Next by Date: [Full-disclosure] FortiGuard Advisory: Microsoft Internet Explorer DHTML Handling Remote Memory Corruption Vulnerability
Previous by thread: [Full-disclosure] [USN-775-2] Quagga regression
Next by thread: [Full-disclosure] FortiGuard Advisory: Microsoft Internet Explorer DHTML Handling Remote Memory Corruption Vulnerability
Index(es):
- Date
- Thread