Summary:
Vulnerability in Yahoo web site allows remote attackers to cause it to insert malicious HTML or JavaScript into existing
web pages of Yahoo Website.

Details:
Every time your are using yahoo messenger for send File to other yahoo messenger users, when you can not connect to his/her
Machine, then Yahoo Messenger Software Ask you for Do you want to upload your file TO yahoo servers? Now, if you chose yes Then Yahoo
Messenger Upload your file to yahoo Server and after that it gives you the link of download for that file. Now you can send this file to your Friends.

This link is look like:
http://us.f1.yahoofs.com/msgr/YahooID/.tmp/Filename.html?Random_Code
YahooID: Your yahoo messenger ID
Filename: your File name
Random Code: is Random Characters (Alpha+numeric) only person who knows this random code can access to this file.

Now if you just add your script after the last " / " character you can insert your HTML or JavaScript Code to yahoo pages .
For Example:
http://us.f1.yahoofs.com/msgr/YahooID/.tmp/[script]alert('Hat-Squad.com');[/script]

Also you can use this model:
http://us.f2.yahoofs.com/[script]alert('Hat-Squad.com');[/script]
http://us.f2.yahoofs.com/[script]window.open("http://www.hat-squad.com")[/script]
Replace [] With <>

Vulnerable URLs:
http://us.f2.yahoofs.com
http://us.f1.yahoofs.com

Example:
http://us.f2.yahoofs.com/[script]window.open("http://www.hat-squad.com")[/script]
http://us.f2.yahoofs.com/[script]alert('Hat-Squad.com');[/script]

Found by:
Nima Majidi
nima_majidi@hat-squad.com
Hat-Squad Security Research Team (www.hat-squad.com)