Yahoo! 360 Cross Site Request Forgery

Yahoo! 360 Cross Site Request Forgery: Posted Jun 11, 2009; Authored by Nam Nguyen | Site bluemoon.com.vn; Yahoo! 360 suffers from a cross site request forgery vulnerability.; tags | advisory, csrf; SHA-256 | c561b2f59db19b25e668508edc921b0cbd9477da5ea8253e3c76382200ab8f43; Download | Favorite | View

Yahoo! 360 Cross Site Request Forgery

BLUE MOON SECURITY ADVISORY 2009-05
===================================


:Title: Cross Site Request Forgery in Yahoo! 360plus
:Severity: Moderate
:Reporter: Thinh Q. Hoang and Blue Moon Consulting
:Products: Yahoo! 360plus
:Fixed in: --


Description
-----------

We could not find out the definitive description for Yahoo! 360plus from Yahoo! website. This is our own understanding of the application: Yahoo! 360plus is a blogging service.

We have discovered a Cross Site Request Forgery vulnerability in Yahoo! 360plus. The attacker could force an unknowning user to remove all her avatars by visiting a specially crafted page while her Yahoo! 360plus session is still valid.

This problem is similar to the one that allowed removal of user comments in Yahoo! 360 (the older version of Yahoo! 360plus). The link to avatar deletion is, in the case of Yahoo! 360plus Vietnam, ``http://vn.blog.yahoo.com/setup/profile_photo.php?act=del&prf_photo=1`` where ``prf_photo`` could be ``1``, ``2``, ``3``, or ``4``. Unlike other actions where a ``crumb`` token is required, this action does not require any token and hence suffers from a CSRF vulnerability.

Workaround
----------

Users of Yahoo! 360plus service should only login to make modifications and logout immediately when done.

Fix
---

There is no fix at the moment.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

  June 02, 2009: Initial security alert sent to security@yahoo-inc.com

:Vendor response:

  --

:Further communication:

  --

:Public disclosure: June 10, 2009

:Exploit code:

  No exploit code required.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.

Cheers
-- 
Nam Nguyen
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn

Top Authors In Last 30 Days

Red Hat 219 files
Ubuntu 55 files
LiquidWorm 20 files
Debian 18 files
Apple 9 files
indoushka 5 files
Gentoo 5 files
Google Security Research 4 files
Alter Prime 3 files
Chokri Hammedi 3 files

File Archives

Systems

AIX (430)
Apple (2,126)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,158)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,604)
HPUX (881)
iOS (393)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,830)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,245)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,969)
UNIX (9,474)
UnixWare (188)
Windows (6,784)
Other

Yahoo! 360 Cross Site Request Forgery

Yahoo! 360 Cross Site Request Forgery

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Yahoo! 360 Cross Site Request Forgery

Share This

Yahoo! 360 Cross Site Request Forgery

File Archive:

November 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems