A pair of proof of concept code for a cross-site scripting (XSS) exploit involving Yahoo Mail has been discovered recently. The POC code involved in the exploit comprises of two components. The first component is a CGI script directly responsible for the exploit while the second component acts as a module that generates a URL string, which, as we’ll see later on, is critical in the execution of the exploit.

Here’s how the exploit works. The first component (which is written in Perl) is installed on a web server. This code is supposed to execute whenever a user visits a web page that is hosted on that server. The path of the CGI script on the web server is then parsed by the second component and appends a Yahoo URL string to it. An entirely new URL is generated. This URL can be sent to an unsuspecting user through an innocent-looking email or YM message. When the user clicks on the URL, his Yahoo account becomes compromised.

Fortunately this piece of POC code does nothing but display an email from the user’s inbox in a webpage that is external from Yahoo’s domain. Despite its limited functionality, the POC code has made its point that the user’s web mail account can be easily compromised by a simple click of a link. Trend detects the pair of POC exploits as EXPL_YAHOXSS.A.

If users wanted to download WinRAR, the popular archiver tool to process RAR and ZIP files, where would they go? Chances are, they’d type in the name of the tool itself and just add .com (www.winrar.com) in their browser’s address bar. Unbeknownst to them, however, the said site is not the official site from which the legitimate tool could be downloaded–that would be www.rarlab.com, actually.

TrendLabs has just received reports on how unsuspecting users could end up downloading malware, instead of WinRAR, onto their systems. When they try to click on the “Free Software Downloads” button in www.winrar.com (as seen below), they would be led to another page where they are prompted to click on “Download Winrar”.

When they click on “Download Winrar”, a link to {BLOCKED}ench.ircfast.com would appear. Finally, another Web page, wholly in French, would display 11 supposed versions of WinRAR:

In truth, these are 11 files that are all detected by Trend Micro as TROJ_STARTPA.QC.

What is yet unclear is if the said site, which looks very professionally done, has been hacked or was purposely loaded with a Trojan to deceive would-be users of WinRAR. Updates to be posted soon.