Risks
Vulnerabilities
Browse by
Yahoo France site vulnerable to Cross Site Scripting
14 September 2001
Bookmark and Share

--[ Yahoo's French Web Site vulnerable to Cross Site Scripting ]--

Problem discovered: 28/08/2001
by Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com |
http://www.iSecureLabs.com

--[ Overview ]--

Yahoo is a well known news portal. The French Yahoo News portal suffer from a Cross Site Scripting Vulnerability.

-- [ Description ]--

French Yahoo's web site may inadvertently include malicious HTML tags or script in a dynamically generated page based on unvalidated input from user.

This search script http://fr.search.yahoo.com/search/news_fr does not check anymore for malicious HTML or Java Script code.

Exemple:

http://fr.search.yahoo.com/search/news_fr?p=&nice=<hr><hr><hr><hr><h1>Vulbérabilité%20sur%20Yahoo!!!</h1><hr><hr><hr>%3Cscript%3Ealert(%22C%20est%20une%20vulnerabilite%20de%20type%20cross%20site%20scripting%22);%3C/script%3E&z=date&n=10

Screen Capture :
http://www.isecurelabs.com/advisory/yahooooooo2.gif
http://www.isecurelabs.com/advisory/yahoooooooo.gif

--[ Fix ]--

Yahoo has been alerted and has fixed.

--[ Informations about CSS ]--

http://httpd.apache.org/info/css-security/apache_specific.html
http://www.cert.org/advisories/CA-2000-02.html

---
Cabezon Aurélien | aurelien.cabezon@iSecureLabs.com
http://www.iSecureLabs.com | French Security Portal
http://www.iSecureLabs.com/advisory | Advisory folder




Spotlight

Whitepaper: Zero Trust approach to network security

Posted on 20 November 2014.  |  Zero Trust is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Nov 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //