Bugtraq mailing list archives
Yahoo/Hotmail scripting vulnerability, worm propagation
From: mparcens () hushmail com
Date: Wed, 30 May 2001 19:18:08 -0500 (EDT)
Title: Yahoo/Hotmail scripting vulnerability, worm propagation Synopsis Cross-site-scripting holes in Yahoo and Hotmail make it possible to replicate a Melissa-type worm through those webmail services. Description An email is sent to the victim, who uses Yahoo Mail or Hotmail. Inside the email is a link to yahoo or hotmail's own server. The link contains escaped javascript that is executed when the page is loaded. That javascript then opens a window that could nagivate through the victim's inbox, sending messages with the malicious link to every email address it finds in the inbox. Because the malicious javascript executes inside a page from the mail service's own server, there is no domain-bounding error when the javascript is controlling the window with the victim's inbox. Who is vulnerable Users of the Yahoo Mail and Hotmail service. Although the exploit requires a user to click on a link, two things work for this exploit. (1) The email comes from a familiar user (sent by the worm), and (2) The link is to a familiar, trusted server. Theoretically, more services are vulnerable, due to the proliferation of these holes, but the worm is limited to web mail services. Proof-of-Concept Sample links and the worm code can be found at: http://www.sidesport.com/webworm/ Solution Escaping all query data that is echoed to the screen eliminates this problem. This must be done on every page on a server that can send or read mail for the service. Vendor Status Both Yahoo and Hotmail were notified on May 23 2001. -mparcens mparcens () hushmail com Free, encrypted, secure Web-based email at www.hushmail.com
Current thread:
- Yahoo/Hotmail scripting vulnerability, worm propagation mparcens (May 31)