[25234] in bugtraq
RE: Cross site scripting in almost every mayor website
daemon@ATHENA.MIT.EDU (GreyMagic Software)
Wed Apr 24 12:30:02 2002
From: "GreyMagic Software" <security@greymagic.com>
To: "Bugtraq" <bugtraq@securityfocus.com>,
"Berend-Jan Wever" <skylined@edup.tudelft.nl>
Date: Tue, 23 Apr 2002 22:43:38 +0200
Message-ID: <LPBBLDGNEFOGMGAEHJPBAECACNAA.security@greymagic.com>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
In-reply-to: <20020421104944.28566.qmail@mail.securityfocus.com>
Hello,
We have discovered this quite a while ago (when investigating GM#001-IE,
actually) and have verified it to work on the following
services/applications:
* hotmail.com
* msn.com
* yahoo.com
* mail.com
* iname.com
* lycos.com
* excite.com
* Qualcomm Eudora
The code published by SkyLined is obviously a slightly altered version of
the data binding code that appears in GM#001-IE (even the elements id's
remained the same), so we feel that an acknowledgment was in place.
Either way, we were planning to release this after we had the opportunity to
contact each and every vendor in the above list, but since this is out in
the open there's no reason for that now.
A little example of embedding an iframe:
<xml id="filter">
<i><b>
<iframe
src="http://security.greymagic.com/adv/gm001-ie/"></iframe>
</b></i>
</xml>
<span datafld="b" dataformatas="html" datasrc="#filter"></span>
When trying to inject script into yahoo (and others) using events such as
onerror, yahoo tries to filter them out even if they appear inside the <xml>
element. This can be easily bypassed by using onerror instead of
onerror, for example.
Regards.
-----Original Message-----
From: Berend-Jan Wever [mailto:skylined@edup.tudelft.nl]
Sent: Sunday, April 21, 2002 12:50
To: bugtraq@securityfocus.com
Subject: Re: Cross site scripting in almost every mayor website
Been there, done that.
I have successfully created a worm and tested it
before trying to report this to McAfee, they do the
vrus scanning for hotmail. I got a "you are not a
registered user" auto-reply and they ignored my
messages because I wasn't in their files ;( too bad
for them.
You do have full access to the DOM of Hotmail
when you can find a way to cross-site script, thus
allowing you full access to the inbox, address
book etc...
BJ
----- Original Message -----
From: FozZy
To: bugtraq@securityfocus.com
Cc: skylined@edup.tudelft.nl ; vuln-
dev@securityfocus.com
Sent: Sunday, April 21, 2002 3:53
Subject: Re: Cross site scripting in almost every
mayor website
To webmail developpers : there is something
interesting for you hidden in this post. The
Hotmail problem was a "evil html filtering" problem
in incoming e-mails. It was possible to bypass the
filter by injecting javascript with XML, when
parsed with IE. See :
http://spoor12.edup.tudelft.nl/SkyLined/docs/ie.hot
mail.howto.css.html
*** I guess that many other webmails are
vulnerable to this attack. ***
I verified that Yahoo is vulnerable with IE 5.5 (but
they have other bugs and they don't care, see
http://online.securityfocus.com/archive/1/265464).
I did not checked other webmails, but I am sure
almost every one can be cracked this way.
> The fix: as far as I could find out they now
replace
> the properties 'dataFld', 'dataFormatAs'
> and 'dataSrc' of any HTML tag
> with 'xdataFld', 'xdataFormatAs' and 'xdataSrc'
to
> prevent XML generation of HTML alltogether.
The implication of executing javascript is that an
incoming email can control the mailbox of the
user. It is also possible to send the session
cookie to a cgi script and read remotely all the e-
mails. (BTW, it is still possible to do that on
Hotmail and on almost every webmail, since they
don't check the IP address, even without this XML
trick cause their filters are sooo bad)
I fear that a cross-platform and cross-site webmail
worm deleting all the emails and spreading could
appear in the near future. Please Hotmail Yahoo
& co, do something before it comes true...
FozZy
Hackademy / Hackerz Voice
http://www.dmpfrance.com/inted.html
