Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cross site scripting in almost every mayor website

From: Berend-Jan Wever <skylined () edup tudelft nl>
Date: 21 Apr 2002 10:49:44 -0000


Been there, done that.

I have successfully created a worm and tested it 
before trying to report this to McAfee, they do the 
vrus scanning for hotmail. I got a "you are not a 
registered user" auto-reply and they ignored my 
messages because I wasn't in their files ;( too bad 
for them.
You do have full access to the DOM of Hotmail 
when you can find a way to cross-site script, thus 
allowing you full access to the inbox, address 
book etc...

BJ
----- Original Message ----- 
From: FozZy 
To: bugtraq () securityfocus com 
Cc: skylined () edup tudelft nl ; vuln-
dev () securityfocus com 
Sent: Sunday, April 21, 2002 3:53
Subject: Re: Cross site scripting in almost every 
mayor website


To webmail developpers : there is something 
interesting for you hidden in this post. The 
Hotmail problem was a "evil html filtering" problem 
in incoming e-mails. It was possible to bypass the 
filter by injecting javascript with XML, when 
parsed with IE.  See :
http://spoor12.edup.tudelft.nl/SkyLined/docs/ie.hot
mail.howto.css.html

*** I guess that many other webmails are 
vulnerable to this attack. ***

I verified that Yahoo is vulnerable with IE 5.5 (but 
they have other bugs and they don't care, see 
http://online.securityfocus.com/archive/1/265464). 
I did not checked other webmails, but I am sure 
almost every one can be cracked this way.


The fix: as far as I could find out they now 

replace 

the properties 'dataFld', 'dataFormatAs' 
and 'dataSrc' of any HTML tag 
with 'xdataFld', 'xdataFormatAs' and 'xdataSrc' 

to 

prevent XML generation of HTML alltogether.


The implication of executing javascript is that an 
incoming email can control the mailbox of the 
user.  It is also possible to send the session 
cookie to a cgi script and read remotely all the e-
mails. (BTW, it is still possible to do that on 
Hotmail and on almost every webmail, since they 
don't check the IP address, even without this XML 
trick cause their filters are sooo bad) 
I fear that a cross-platform and cross-site webmail 
worm deleting all the emails and spreading could 
appear in the near future. Please Hotmail Yahoo 
& co, do something before it comes true... 

FozZy

Hackademy / Hackerz Voice
http://www.dmpfrance.com/inted.html
Previous By Date Next
Previous By Thread Next

Current thread: