[20836] in bugtraq
RE: Yahoo/Hotmail scripting vulnerability, worm propagation
daemon@ATHENA.MIT.EDU (Microsoft Security Response Center)
Fri Jun 1 18:06:18 2001
content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Thu, 31 May 2001 16:24:14 -0700
Message-ID: <C10F7F33B880B248BCC47DB44673884702C7E00D@red-msg-07.redmond.corp.microsoft.com>
From: "Microsoft Security Response Center" <secure@microsoft.com>
To: <bugtraq@securityfocus.com>
Cc: "Microsoft Security Response Center" <secure@microsoft.com>
Content-Transfer-Encoding: 8bit
-----BEGIN PGP SIGNED MESSAGE-----
We are investigating this matter thoroughly and aggressively to
determine whether or not it is valid. Contrary to the poster's
claim, we have not received any direct communications on this
possible (or alleged) vulnerability.
Regards,
secure@microsoft.com
- -----Original Message-----
From: mparcens@hushmail.com [mailto:mparcens@hushmail.com]
Sent: Wednesday, May 30, 2001 5:18 PM
To: bugtraq@securityfocus.com
Subject: Yahoo/Hotmail scripting vulnerability, worm propagation
Title: Yahoo/Hotmail scripting vulnerability, worm propagation
Synopsis
Cross-site-scripting holes in Yahoo and Hotmail make it possible to
replicate
a Melissa-type worm through those webmail services.
Description
An email is sent to the victim, who uses Yahoo Mail or Hotmail.
Inside the
email is a link to yahoo or hotmail's own server. The link contains
escaped
javascript that is executed when the page is loaded. That javascript
then
opens a window that could nagivate through the victim's inbox,
sending messages
with the malicious link to every email address it finds in the inbox.
Because
the malicious javascript executes inside a page from the mail
service's
own server, there is no domain-bounding error when the javascript is
controlling
the window with the victim's inbox.
Who is vulnerable
Users of the Yahoo Mail and Hotmail service. Although the exploit
requires
a user to click on a link, two things work for this exploit. (1) The
email
comes from a familiar user (sent by the worm), and (2) The link is to
a
familiar, trusted server. Theoretically, more services are
vulnerable, due
to the proliferation of these holes, but the worm is limited to web
mail
services.
Proof-of-Concept
Sample links and the worm code can be found at:
http://www.sidesport.com/webworm/
Solution
Escaping all query data that is echoed to the screen eliminates this
problem.
This must be done on every page on a server that can send or read
mail for
the service.
Vendor Status
Both Yahoo and Hotmail were notified on May 23 2001.
- -mparcens
mparcens@hushmail.com
Free, encrypted, secure Web-based email at www.hushmail.com
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOxbSOI0ZSRQxA/UrAQHWSQf/R6eyO2m+Yfev7noeY/JOGaLjQp6GC/AZ
EQCnSCfO9tfCVfOOabChwHn4OBQsMNSBlFPybbjVuXb35+YMqq7nV6X8rTpVnyg2
cSbA6Xma4dOfR0nA/OdPj6eBngN3kBfnRB7537z9fFJ1ryxq18ykge5+edp0Bdc1
4XXqkQT2K+Kid7vEj5+frYip2W1Dq1Ec2vnzSu6661OSfMdU1Rat4TdMLpJzZckV
HwUlRFg1dAxpVdkL0OGbrTHhD1h95UiGmQMbnZRFwk5xMK68u6UrbX13zILaEzCR
trtFmyF0LsyYqnRLPwMHmdSE6jZNY6ycVhbsj2+v8qyqyxMcEzuXCA==
=z0RA
-----END PGP SIGNATURE-----
