Yahoo/Hotmail scripting vulnerability, worm propagation

[mparcens () hushmail com]

Title: Yahoo/Hotmail scripting vulnerability, worm propagation


Synopsis

Cross-site-scripting holes in Yahoo and Hotmail make it possible to replicate 
a Melissa-type worm through those webmail services.


Description

An email is sent to the victim, who uses Yahoo Mail or Hotmail. Inside the 
email is a link to yahoo or hotmail's own server. The link contains escaped 
javascript that is executed when the page is loaded. That javascript then 
opens a window that could nagivate through the victim's inbox, sending messages 
with the malicious link to every email address it finds in the inbox. Because 
the malicious javascript executes inside a page from the mail service's 
own server, there is no domain-bounding error when the javascript is controlling 
the window with the victim's inbox.


Who is vulnerable

Users of the Yahoo Mail and Hotmail service. Although the exploit requires 
a user to click on a link, two things work for this exploit. (1) The email 
comes from a familiar user (sent by the worm), and (2) The link is to a 
familiar, trusted server. Theoretically, more services are vulnerable, due 
to the proliferation of these holes, but the worm is limited to web mail 
services.


Proof-of-Concept

Sample links and the worm code can be found at: http://www.sidesport.com/webworm/


Solution

Escaping all query data that is echoed to the screen eliminates this problem. 
This must be done on every page on a server that can send or read mail for 
the service.


Vendor Status

Both Yahoo and Hotmail were notified on May 23 2001.


-mparcens
mparcens () hushmail com

Free, encrypted, secure Web-based email at www.hushmail.com