[RESOLVED] XSS False Positive at Yahoo Classic Mail

[Tom T.]

Yahoo Classic Mail has an auto-save feature, similar to many word processors, that saves a draft copy every few minutes when you are composing a long message or take a break during composing. Then if you have a crash or accidentally delete or whatever, you have most of it available in the saved draft.

Today I was composing a lengthy message. It saved once or twice. When I tried to hit "send", it hung, and the XSS logo appeared in status bar. I clicked "Unsafe reload", and received the warning,

UNSAFELY reloading a suspicious
POST [http:/us.mc563.mail.yahoo.com/mc/compose/?action_msg_autosave=1&noc&view=none]:
FROM [http://us.mc563.mail.yaoo.com/mc/welcome?.gx=0&rand=(random string)]

I OK'd the "unsafe reload", and still it hung. A new script address (new to me, at least,) appeared in NS menu: 216.252.110.31
Lookup:

IP address: 216.252.110.31
Host name: attach.mail.vip.re3.yahoo.com
216.252.110.31 is from United States(US) in region North America

With its origin from Yahoo verified, I TA'd this script. Then, the page reloaded as a blank "compose mail" page, losing all of the contents.

Fx 2-20, NS 1.9.3.6, whitelist yahoo.com, yimg.com, akamai.net. (They are still adding a sub-object for attachment and another sub-object for d/l attachment, which must be TA'd manually each time, but this message had no attachments.) The issue did not occur on the previous message that I sent, which was very short and did not trigger the auto-save feature. This might seem to confirm the XSS warning that the auto-save script is involved. It's not separately visible in the NS menu; at this moment, the NS logo shows 81 scripts running. (I hate that they keep complicating it. Last week, it was only 60 scripts.)

TIA for any help.

[therube]

I'm not seeing anything, SeaMonkey 1.1.16?

Code: Select all

just a test to see if autosave generates XSS warnings ...
draft last saved @ 10:35 am ...
draft last saved @ 10:48 am ...
draft last saved @ 11:11 am ...

All during that time, nothing showed in Error Console.

When I finally sent the email, a lot of warnings dealing with Yahoo's .css, 1 error (unrelated), but thats it.

[therube]

OK. Yahoo Mail Classic.

This time, I stuck in a larger (76KB) "text" document.
Let it sit & stew for a while.
At some point, I turned on Rich Text (rather then Plain) & did some highlighting & bolding & made some font size changes.
Let it sit & stew for a while.

Nothing of interest in Error Console.

Let it sit & stew for a while.

Hit Send.

At this point (now) & have an hourglass on the page & an Unsafe Reload icon.
Error Console not showing anything.

So I accept the Unsafe Reload, it warns me (I did not note it, expecting it to appear in Error Console, but it did not), then I get a page warrning (possibly because of the extended period of time till I accepted the Unsafe Reload?).:

Code: Select all

Connection Interrupted

The document contains no data.

The network link was interrupted while negotiating a connection. Please try again.

Try again.

Try again warns of POSTDATA ... & just brings me back to the same page warning. So that much of it is no go at this point. Back-arrow & I'm back in my (composing) message, all looking to be complete.

Send.

It tells me I need to enter an email address in the To: field.
(so a test, I'll put in Giorgio's - kidding)

This time it worked without protest.

The only error that showed up:

Code: Select all

Error: uncaught exception: [Exception... "Component returned failure code: 0x805e000a [nsIDOMHTMLIFrameElement.src]"  nsresult: "0x805e000a (<unknown>)"  location: "JS frame :: http://us.mc624.mail.yahoo.com/darla/md.php?en=CP1252 :: anonymous :: line 50"  data: no]

Otherwise just a bunch of warnings.

So yes, something is up with Yahoo mail. Setting the mail compose format to Rich Text may have something to do with it?

[therube]

Went through the deal again, Rich Text, but only a few line message, & that proceeded without incident.

Told my 76K'r to Forward, added a line or two & had it sitting.
Doing nothing more, at some point Unsafe Reload icon showed up.
Show Console shows nothing of substance, no mention of the reload.

(heh. went to upload unsafe reload warning to tinypic, hit ctrl+\, & ended up with a good 18+ second hang with seamonkey running 98% CPU.)



OK that dialog & ...

[Tom T.]

I receive and send in plain text only.
It seems that adding that numerical IP 216.252.110.31 to the whitelist has fixed it - for this week. Next week, they'll add more complications. There was no way to know this without going through the discovery process.

A couple of years ago, they had a product that worked fine without any iFrames, sub-objects, etc., just the basic domains yahoo and yimg. (They don't seem to use Akamai any more, AFAIK. Will un-w/l it and see what happens.) They keep adding more and more complications to things that weren't broken, for no good purpose, and breaking things in the process. They've been doing this regularly and periodically for quite a while. I still have no way to u/l or d/l attachments without allowing the sub-object and reload each time, unless I give blanket permission for iFrames, which I don't wish to do.

It's also possible that Giorgio's planned tweaks to the XSS rules that were somehow connected with ABE will fix it. The problem didn't happen when I went to a pre-ABE NS. But Yahoo is not making it any easier for Giorgio or the rest of us.

Thanks for your time and testing. Perhaps you understand a little more this "Luddite" attitude

[Giorgio Maone]

Hrm, this thread seems to cast some more light on what's happening there too.
Since therube is hitting the same issue, at this point is unlikely that both have noscript.injectionCheck set to 3 or above, and both you report unresponsive script messages, I've got a quite plausible explanation and maybe a plan as well:
XSS protection is "fail safe", i.e. if something tries to break it by brute force (e.g. causing a timeout which interrupts the script), it intercepts the exception and throws a XSS warning anyway.
So what's probably happening is that ABE (which runs serially with XSS checks) is increasing the total run time of the ABE+XSS sequence past the browser limit, and this timeout causes the XSS warning to be triggered even though the request is not cross-site.
Since I was already working to ABE optimization meant to make the most time-consuming checks (i.e. DNS requests) asynchronous, this will likely cure these symptoms as well.

[Tom T.]

Thanks, Giorgio. I just replied at the thread you linked. I was going to edit it, but will add here: Just noticed dev 1.9.3.7 out. Will update from 1.9.3.6 and see if any changes.

Your idea sounds very likely. In *each* case, *time* has been an element. In Yahoo, messages composed and sent quickly do not cause the problem. But even the shortest message does, if you take a long time to compose it, or the telephone rings while doing so, etc. At Amiright.com, there are many fields to fill in, and one wants to preview to proofread very carefully, because once submissions are moderated and posted, they *cannot* be edited. So I always preview, proofread, perhaps tweak a bit, preview again, etc.

Good detective work -- hope that's the solution.

[therube]

1.9.3.8-dev
Try to duplicate the above ...

541KB text file (tracking of Acrobat 7 installation )
Yahoo Mail Classic, Rich Text mode
Add a background image
Let it stew
Noted time of saved draft copy, changed font & color
Let it stew ... repeat
At some point, decided to send

Send successfully completed.

(Separately, on a Snitz Forums board where I had been noticing hangs <when opening multiple tabs>, I no longer see that either.)

---

draft 09:36 & going to try sending now
draft 09:26
draft 09:06
draft 08:59
1.9.3.8 XSS test @ yahoo mail classic "rich text" 08:57

===========

Installation Report: Adobe Acrobat Reader v705 Generated by InCtrl5, version 1.0.0.0 Install program: C:\TMP\AdbeRdr705_enu_full (Adobe Acrobat Reader XP).exe 11/1/2005 10:57 PM ...

[Tom T.]

Could not reproduce with a moderate test at Yahoo. It will be tested severely tomorrow (today), Monday, during the business day. However, based on my reply at the thread with apparently similar causes, I expect that it's fixed. Will let you know if not. Thanks.

NS 1.9.3.91 on Fx 2-20

[Tom T.]

No problems at Yahoo Mail, or anywhere else for that matter, with 1.9.3.91 on Fx2-20. ABE and XSS seem to play together very nicely now. I'm marking this issue resolved. Thanks for the dev build, Giorgio.