Yahoo! Messenger script injection using a ymsgr:addview? URL
| yahoo-messenger-script-injection (9184) |  Medium Risk |
Description:
Yahoo! Messenger could allow a remote attacker to inject malicious script into a victim's Yahoo! Messenger client. A remote attacker could create a specially-crafted ymsgr:addview? URL that refers to a Web page containing script, which would be executed on the system by the Yahoo! Messenger client.
Platforms Affected:
- Yahoo, Messenger 5.0
Remedy:
Upgrade to the latest version of Yahoo! Messenger (5.0 Build 1065 or later), available from the Yahoo! Messenger Web site. See References.
Consequences:
Gain Access
References:
- BugTraq Mailing List, Mon May 27 2002 - 10:20:54 CDT, Yahoo Messenger - Multiple Vulnerabilities at http://archives.neohapsis.com/archives/bugtraq/2002-05/0228.html.
- CERT Advisory CA-2002-16, Multiple Vulnerabilities in Yahoo! Messenger at http://www.cert.org/advisories/CA-2002-16.html.
- Yahoo! Messenger Web site, Download Yahoo! Messenger at http://messenger.yahoo.com/messenger/download/index.html.
- BID-4838: Yahoo! Instant Messenger Script Injection Vulnerability
- CVE-2002-0032: Yahoo! Messenger 5,0,0,1064 and earlier allows remote attackers to execute arbitrary script as other users via the addview parameter of a ymsgr URI.
- US-CERT VU#172315: Yahoo! Messenger addview function allows for the automatic execution of malicious script contained in web pages
Reported:
May 27, 2002
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.
For corrections or additions please email xforce@iss.net