RE: Cross site scripting in almost every mayor website

From: GreyMagic Software (security@greymagic.com)
Date: 04/23/02

• Previous message: Replugge [ROD]: "More Cross site Scripting in PHPNuke"
• In reply to: Berend-Jan Wever: "Re: Cross site scripting in almost every mayor website"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: "GreyMagic Software" <security@greymagic.com>
To: "Bugtraq" <bugtraq@securityfocus.com>, "Berend-Jan Wever" <skylined@edup.tudelft.nl>
Date: Tue, 23 Apr 2002 22:43:38 +0200

Hello,

We have discovered this quite a while ago (when investigating GM#001-IE,
actually) and have verified it to work on the following
services/applications:

* hotmail.com
* msn.com
* yahoo.com
* mail.com
* iname.com
* lycos.com
* excite.com
* Qualcomm Eudora

The code published by SkyLined is obviously a slightly altered version of
the data binding code that appears in GM#001-IE (even the elements id's
remained the same), so we feel that an acknowledgment was in place.

Either way, we were planning to release this after we had the opportunity to
contact each and every vendor in the above list, but since this is out in
the open there's no reason for that now.

A little example of embedding an iframe:

<xml id="filter">
<i><b>
&lt;iframe
src="http://security.greymagic.com/adv/gm001-ie/"&gt;&lt;/iframe&gt;
</b></i>
</xml>
<span datafld="b" dataformatas="html" datasrc="#filter"></span>

When trying to inject script into yahoo (and others) using events such as
onerror, yahoo tries to filter them out even if they appear inside the <xml>
element. This can be easily bypassed by using o&#110;error instead of
onerror, for example.

Regards.

-----Original Message-----
From: Berend-Jan Wever [mailto:skylined@edup.tudelft.nl]
Sent: Sunday, April 21, 2002 12:50
To: bugtraq@securityfocus.com
Subject: Re: Cross site scripting in almost every mayor website

Been there, done that.

I have successfully created a worm and tested it

before trying to report this to McAfee, they do the

vrus scanning for hotmail. I got a "you are not a

registered user" auto-reply and they ignored my

messages because I wasn't in their files ;( too bad

for them.

You do have full access to the DOM of Hotmail

when you can find a way to cross-site script, thus

allowing you full access to the inbox, address

book etc...

BJ

----- Original Message -----

From: FozZy

To: bugtraq@securityfocus.com

Cc: skylined@edup.tudelft.nl ; vuln-

dev@securityfocus.com

Sent: Sunday, April 21, 2002 3:53

Subject: Re: Cross site scripting in almost every

mayor website

To webmail developpers : there is something

interesting for you hidden in this post. The

Hotmail problem was a "evil html filtering" problem

in incoming e-mails. It was possible to bypass the

filter by injecting javascript with XML, when

parsed with IE. See :

http://spoor12.edup.tudelft.nl/SkyLined/docs/ie.hot

mail.howto.css.html

*** I guess that many other webmails are

vulnerable to this attack. ***

I verified that Yahoo is vulnerable with IE 5.5 (but

they have other bugs and they don't care, see

http://online.securityfocus.com/archive/1/265464).

I did not checked other webmails, but I am sure

almost every one can be cracked this way.

> The fix: as far as I could find out they now

replace

> the properties 'dataFld', 'dataFormatAs'

> and 'dataSrc' of any HTML tag

> with 'xdataFld', 'xdataFormatAs' and 'xdataSrc'

to

> prevent XML generation of HTML alltogether.

The implication of executing javascript is that an

incoming email can control the mailbox of the

user. It is also possible to send the session

cookie to a cgi script and read remotely all the e-

mails. (BTW, it is still possible to do that on

Hotmail and on almost every webmail, since they

don't check the IP address, even without this XML

trick cause their filters are sooo bad)

I fear that a cross-platform and cross-site webmail

worm deleting all the emails and spreading could

appear in the near future. Please Hotmail Yahoo

& co, do something before it comes true...

FozZy

Hackademy / Hackerz Voice

http://www.dmpfrance.com/inted.html

---

• Previous message: Replugge [ROD]: "More Cross site Scripting in PHPNuke"
• In reply to: Berend-Jan Wever: "Re: Cross site scripting in almost every mayor website"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Cross site scripting in almost every mayor website ... yahoo tries to filter them out even if they appear inside the <xml> ... > Subject: Re: Cross site scripting in almost every mayor website ... > You do have full access to the DOM of Hotmail ... > Hotmail and on almost every webmail, ... (Vuln-Dev) [Full-disclosure] Hotmail/MSN Cookie Theft Advisory/Xploit ... Vulnerability: Cross Site Scripting (Cookie-Theft) ... Exploit requires the victim to ... because the vulnerable variable resides inside the hotmail inbox ... which's the default time set in hotmail for cookie expiration:) ... (Full-Disclosure) Re: OLE Using Hotmail-Bulk Mail ... OE can only "filter" POP3 mail, ... your Hotmail filters you must do it in Options at your online page. ... > If I turn the filter off, it would be a big mess in my inbox. ... you would simply drag a message from Bulk Mail to Hotmail Inbox. ... (microsoft.public.windows.inetexplorer.ie6_outlookexpress) RE: Hotmails Junk filter gets even worse ... I switched to gmail just for the spam filter. ... I just redirected that from my hotmail account to my new gmail account. ... anytihng ever went to my junk folder. ... (microsoft.public.internet.mail) [NEWS] Microsoft Hotmail Cross-Site Scripting (XSS) Flaws ... Hotmail eliminates the disparities among e-mail programs by adhering to ... While Hotmail does filter a number of HTML tags, ... an attacker could trick the Hotmail parser into ... (Securiteam)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)