Hushmail.com accounts vulnerable to script attack.

[onesemicolon () onesemicolon cjb net]

TOPIC: Hushmail.com accounts vulnerable to script attack.
ADVISORY NR: 200102
DATE: 12-09-01
VULNERABILITY FOUND AND WRITTEN BY: 1; (One Semicolon)

CONTACT INFORMATION:
http://onesemicolon.cjb.net
me () onesemicolon cjb net

STATUS: Hushmail.com was contacted on September 5, 2001 using the support form.
No reply was received.

DESCRIPTION
Hushmail.com is a web based mail service that promotes itself as a secure 
solution. This vulnerability was tested to work in Internet Explorer 5.5.

VULNERABILITY
Whenever you login to a Hushmail account the inbox is opened. If you send a email
with a specially formed "from" field, which usually contains a name, you can
execute javascript, vbscript, etc. on the computer of the person who logged in.
This also works for the "topic" field.

FIX
Hushmail.com has not yet fixed this to my knowledge.

FINAL NOTES
Recently a advisory was posted on Bugtraq about a similar bug in Hotmail. This
advisory was not written because of that. I found this particular problem on
September 5th. On the same day I contacted Hushmail.com.
I sent Hushmail a simple proof of concept, because it is easy enough to make
this work I do not see the need to produce example code. You WILL have to make
some adjustments on how you send your script to make it work.