Re: Cross site scripting in almost every mayor website

From: Berend-Jan Wever (skylinedat_private)
Date: Sun Apr 21 2002 - 03:49:44 PDT

Next message: Matthew Murphy: "Lil' HTTP Server Directory Traversal Vulnerability"

Previous message: Matthew Murphy: "vqServer Demo Files Cross-Site Scripting"
Maybe in reply to: Berend-Jan Wever: "Cross site scripting in almost every mayor website"
Next in thread: GreyMagic Software: "RE: Cross site scripting in almost every mayor website"
Reply: GreyMagic Software: "RE: Cross site scripting in almost every mayor website"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Been there, done that. I have successfully created a worm and tested it before trying to report this to McAfee, they do the vrus scanning for hotmail. I got a "you are not a registered user" auto-reply and they ignored my messages because I wasn't in their files ;( too bad for them. You do have full access to the DOM of Hotmail when you can find a way to cross-site script, thus allowing you full access to the inbox, address book etc... BJ ----- Original Message ----- From: FozZy To: bugtraqat_private Cc: skylinedat_private ; vuln- devat_private Sent: Sunday, April 21, 2002 3:53 Subject: Re: Cross site scripting in almost every mayor website To webmail developpers : there is something interesting for you hidden in this post. The Hotmail problem was a "evil html filtering" problem in incoming e-mails. It was possible to bypass the filter by injecting javascript with XML, when parsed with IE. See : http://spoor12.edup.tudelft.nl/SkyLined/docs/ie.hot mail.howto.css.html *** I guess that many other webmails are vulnerable to this attack. *** I verified that Yahoo is vulnerable with IE 5.5 (but they have other bugs and they don't care, see http://online.securityfocus.com/archive/1/265464). I did not checked other webmails, but I am sure almost every one can be cracked this way. > The fix: as far as I could find out they now replace > the properties 'dataFld', 'dataFormatAs' > and 'dataSrc' of any HTML tag > with 'xdataFld', 'xdataFormatAs' and 'xdataSrc' to > prevent XML generation of HTML alltogether. The implication of executing javascript is that an incoming email can control the mailbox of the user. It is also possible to send the session cookie to a cgi script and read remotely all the e- mails. (BTW, it is still possible to do that on Hotmail and on almost every webmail, since they don't check the IP address, even without this XML trick cause their filters are sooo bad) I fear that a cross-platform and cross-site webmail worm deleting all the emails and spreading could appear in the near future. Please Hotmail Yahoo & co, do something before it comes true... FozZy Hackademy / Hackerz Voice http://www.dmpfrance.com/inted.html

Next message: Matthew Murphy: "Lil' HTTP Server Directory Traversal Vulnerability"
Previous message: Matthew Murphy: "vqServer Demo Files Cross-Site Scripting"
Maybe in reply to: Berend-Jan Wever: "Cross site scripting in almost every mayor website"
Next in thread: GreyMagic Software: "RE: Cross site scripting in almost every mayor website"
Reply: GreyMagic Software: "RE: Cross site scripting in almost every mayor website"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Apr 22 2002 - 21:52:09 PDT