-----BEGIN PGP SIGNED MESSAGE----- We are investigating this matter thoroughly and aggressively to determine whether or not it is valid. Contrary to the poster's claim, we have not received any direct communications on this possible (or alleged) vulnerability. Regards, secureat_private - -----Original Message----- From: mparcensat_private [mailto:mparcensat_private] Sent: Wednesday, May 30, 2001 5:18 PM To: bugtraqat_private Subject: Yahoo/Hotmail scripting vulnerability, worm propagation Title: Yahoo/Hotmail scripting vulnerability, worm propagation Synopsis Cross-site-scripting holes in Yahoo and Hotmail make it possible to replicate a Melissa-type worm through those webmail services. Description An email is sent to the victim, who uses Yahoo Mail or Hotmail. Inside the email is a link to yahoo or hotmail's own server. The link contains escaped javascript that is executed when the page is loaded. That javascript then opens a window that could nagivate through the victim's inbox, sending messages with the malicious link to every email address it finds in the inbox. Because the malicious javascript executes inside a page from the mail service's own server, there is no domain-bounding error when the javascript is controlling the window with the victim's inbox. Who is vulnerable Users of the Yahoo Mail and Hotmail service. Although the exploit requires a user to click on a link, two things work for this exploit. (1) The email comes from a familiar user (sent by the worm), and (2) The link is to a familiar, trusted server. Theoretically, more services are vulnerable, due to the proliferation of these holes, but the worm is limited to web mail services. Proof-of-Concept Sample links and the worm code can be found at: http://www.sidesport.com/webworm/ Solution Escaping all query data that is echoed to the screen eliminates this problem. This must be done on every page on a server that can send or read mail for the service. Vendor Status Both Yahoo and Hotmail were notified on May 23 2001. - -mparcens mparcensat_private Free, encrypted, secure Web-based email at www.hushmail.com -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOxbSOI0ZSRQxA/UrAQHWSQf/R6eyO2m+Yfev7noeY/JOGaLjQp6GC/AZ EQCnSCfO9tfCVfOOabChwHn4OBQsMNSBlFPybbjVuXb35+YMqq7nV6X8rTpVnyg2 cSbA6Xma4dOfR0nA/OdPj6eBngN3kBfnRB7537z9fFJ1ryxq18ykge5+edp0Bdc1 4XXqkQT2K+Kid7vEj5+frYip2W1Dq1Ec2vnzSu6661OSfMdU1Rat4TdMLpJzZckV HwUlRFg1dAxpVdkL0OGbrTHhD1h95UiGmQMbnZRFwk5xMK68u6UrbX13zILaEzCR trtFmyF0LsyYqnRLPwMHmdSE6jZNY6ycVhbsj2+v8qyqyxMcEzuXCA== =z0RA -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 13:52:01 PDT