Advisory

TITLE:
Yahoo servers URL redirection

SECUNIA ADVISORY ID:
coming soon.

VERIFY ADVISORY:
coming soon.

CRITICAL:
Moderately critical

IMPACT:
Manipulation of data

WHERE:
From remote

SOFTWARE:
Yahoo.com web site


DESCRIPTION:
$um$id has reported vulnerabilities in Yahoo.com web site/s which can be
exploited by malicious people to injection malacious URL in the scripts running on the servers which causes redirection to those malacious URL.
As the redirection will be done by the Yahoo servers the victim will associate the same amount of trust with the malacious URL as he/she will with the Yahoo servers. This can then be followed by a phishing attack.

Proof Of Concept:-
original link:- http://in.rd.yahoo.com//prop/?http://in.photos.yahoo.com/
malformed link:-http://in.rd.yahoo.com//prop/?http://www.any_malacious_link.com

Minutes after reporting this vulnerability with different url to YAHOO , that link was updated.However, the prrof of concept contains the new url and which still allows url redirection

SOLUTION:
Check the URL before rendering it in the browser.

PROVIDED AND/OR DISCOVERED BY:
$um$id