Re: Cross site scripting in almost every mayor website
From: Berend-Jan Wever (skylined@edup.tudelft.nl)Date: 04/21/02
- Previous message: Matthew Murphy: "Lil' HTTP Server Directory Traversal Vulnerability"
- Maybe in reply to: Berend-Jan Wever: "Cross site scripting in almost every mayor website"
- Next in thread: GreyMagic Software: "RE: Cross site scripting in almost every mayor website"
- Reply: GreyMagic Software: "RE: Cross site scripting in almost every mayor website"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 21 Apr 2002 10:49:44 -0000 From: Berend-Jan Wever <skylined@edup.tudelft.nl> To: bugtraq@securityfocus.com('binary' encoding is not supported, stored as-is)
Been there, done that.
I have successfully created a worm and tested it
before trying to report this to McAfee, they do the
vrus scanning for hotmail. I got a "you are not a
registered user" auto-reply and they ignored my
messages because I wasn't in their files ;( too bad
for them.
You do have full access to the DOM of Hotmail
when you can find a way to cross-site script, thus
allowing you full access to the inbox, address
book etc...
BJ
----- Original Message -----
From: FozZy
To: bugtraq@securityfocus.com
Cc: skylined@edup.tudelft.nl ; vuln-
dev@securityfocus.com
Sent: Sunday, April 21, 2002 3:53
Subject: Re: Cross site scripting in almost every
mayor website
To webmail developpers : there is something
interesting for you hidden in this post. The
Hotmail problem was a "evil html filtering" problem
in incoming e-mails. It was possible to bypass the
filter by injecting javascript with XML, when
parsed with IE. See :
http://spoor12.edup.tudelft.nl/SkyLined/docs/ie.hot
mail.howto.css.html
*** I guess that many other webmails are
vulnerable to this attack. ***
I verified that Yahoo is vulnerable with IE 5.5 (but
they have other bugs and they don't care, see
http://online.securityfocus.com/archive/1/265464).
I did not checked other webmails, but I am sure
almost every one can be cracked this way.
> The fix: as far as I could find out they now
replace
> the properties 'dataFld', 'dataFormatAs'
> and 'dataSrc' of any HTML tag
> with 'xdataFld', 'xdataFormatAs' and 'xdataSrc'
to
> prevent XML generation of HTML alltogether.
The implication of executing javascript is that an
incoming email can control the mailbox of the
user. It is also possible to send the session
cookie to a cgi script and read remotely all the e-
mails. (BTW, it is still possible to do that on
Hotmail and on almost every webmail, since they
don't check the IP address, even without this XML
trick cause their filters are sooo bad)
I fear that a cross-platform and cross-site webmail
worm deleting all the emails and spreading could
appear in the near future. Please Hotmail Yahoo
& co, do something before it comes true...
FozZy
Hackademy / Hackerz Voice
http://www.dmpfrance.com/inted.html
- Previous message: Matthew Murphy: "Lil' HTTP Server Directory Traversal Vulnerability"
- Maybe in reply to: Berend-Jan Wever: "Cross site scripting in almost every mayor website"
- Next in thread: GreyMagic Software: "RE: Cross site scripting in almost every mayor website"
- Reply: GreyMagic Software: "RE: Cross site scripting in almost every mayor website"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
