Re: Cross site scripting in almost every mayor website

[FozZy <fozzy () dmpfrance com>]

To webmail developpers : there is something interesting for you hidden in this post. The Hotmail problem was a "evil 
html filtering" problem in incoming e-mails. It was possible to bypass the filter by injecting javascript with XML, 
when parsed with IE.  See :
http://spoor12.edup.tudelft.nl/SkyLined/docs/ie.hotmail.howto.css.html

*** I guess that many other webmails are vulnerable to this attack. ***

I verified that Yahoo is vulnerable with IE 5.5 (but they have other bugs and they don't care, see 
http://online.securityfocus.com/archive/1/265464). I did not checked other webmails, but I am sure almost every one can 
be cracked this way.

> The fix: as far as I could find out they now replace 
> the properties 'dataFld', 'dataFormatAs' 
> and 'dataSrc' of any HTML tag 
> with 'xdataFld', 'xdataFormatAs' and 'xdataSrc' to 
> prevent XML generation of HTML alltogether.

The implication of executing javascript is that an incoming email can control the mailbox of the user.  It is also 
possible to send the session cookie to a cgi script and read remotely all the e-mails. (BTW, it is still possible to do 
that on Hotmail and on almost every webmail, since they don't check the IP address, even without this XML trick cause 
their filters are sooo bad) 
I fear that a cross-platform and cross-site webmail worm deleting all the emails and spreading could appear in the near 
future. Please Hotmail Yahoo & co, do something before it comes true... 

FozZy

Hackademy / Hackerz Voice
http://www.dmpfrance.com/inted.html