[NEWS] Myownemail.com Accounts Vulnerable to Script Attack

From: support@securiteam.com
Date: 09/20/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NEWS] Myownemail.com Accounts Vulnerable to Script Attack
Message-Id: <20010920053313.2B667138C1@mail.der-keiler.de>
Date: Thu, 20 Sep 2001 07:33:13 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Myownemail.com Accounts Vulnerable to Script Attack
------------------------------------------------------------------------

SUMMARY

 <http://Myownemail.com/> Myownemail.com is a web based mail service that
lets you choose from a large amount of domains to get a personalized email
account. A security vulnerability in the service allows attackers to
insert HTML tags and JavaScript into existing web pages (emails).

DETAILS

Whenever you login to a Myownemail account the inbox is opened. If you
send an email with a specially formed "from" field, which usually contains
a name, you can execute javascript, vbscript, and other active code on the
computer of the person who logged in.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:onesemicolon@onesemicolon.cjb.net> onesemicolon.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • Risks Digest 25.73
    ... German electronic health card system failure ... Risks of the Cloud: Liquid Motors ... Oakland 2010, IEEE Symposium on Security and Privacy, CFP ... A friend's facebook account was hacked recently (a neat little short-term ...
    (comp.risks)
  • Re: MBSA, Office Update, Versions, Failures
    ... I apologize for posting this to three groups (MBSA, Windows Update, ... with Domain User account. ... Microsoft Baseline Security Advisor (? ... Office 2000 Security Patches - Red X's, ...
    (microsoft.public.officeupdate)
  • Re: write with cURL
    ... you can stop making excuses. ... up an account for you, process the billing, etc. ... possible features from a web site to make up for the security issues. ... Nothing you have told me shows me you know how to lock down a server ...
    (alt.php)
  • Re: Basic Authentication fails with Error 401.2 where Integrated s
    ... On the IIS directory security tab, anonymous access is disabled, digest ... authentication is disabled, integrated authentication is disabled and basic ... account created has full permissions for the folder and the file that's in it. ...
    (microsoft.public.inetserver.iis.security)
  • [NEWS] Vulnerability Enables Passport Account Hijackings (No Secret Question)
    ... Beyond Security in Canada ... to promote the most advanced vulnerability assessment solutions today. ... A newly disclosed vulnerability could enable attackers to reset the ... who needs to reset his account password can be manipulated by attackers on ...
    (Securiteam)