czwartek, 7 marca 2013

Stored XSS - Yandex Mail

Zgłoszony ponad dwa miesiące temu, dawno poprawiony - stored XSS w usłudze Yandex Mail objętej programem bug bounty.

Poniżej oryginalne zgłoszenie:

Hello there,

I just found an stored cross-site scripting vulnerability in Yandex.Mail. Here's a short info about reproduction of this bug: 

1) Victim gets mail with picture of sweet kitteh ;) attachment name is: 

kitteh<img src=a onerror=alert(document.cookie)>hhhh.jpg

2) As you can see - picture looks really cute - that's why victim decides to zoom it. After clicking the thumbnail - javascript code executes. 

I attached some screenshot. 

Waiting for feedback. 

Jakub Zoczek

5 komentarzy:

  1. This is one of the best post i have read in months, its really great and inspiring, i will really like to read more form you and will like to share with others as well, keep writing more
    Buy Weed Seeds Online
    Buy A-796,260 Online
    Buy Phenethylamine Psychedelics online
    Subutex 8mg Online
    Order Quaaludes Mandrax 300mg online
    Buy DMT Dimethyltryptamine Online
    Valium Diazepam For Sale Online
    Buy Harvoni ledipasvir sofosbuvir online
    Cannabis Oil For Sale
    Buy enzodiazepines online you can as well Whatsapp/Text +1(646)883-3072 , Telegram: primenature or for more details.