RE: Cross site scripting in almost every mayor website

["GreyMagic Software" <security () greymagic com>]

Hello,

We have discovered this quite a while ago (when investigating GM#001-IE,
actually) and have verified it to work on the following
services/applications:

* hotmail.com
* msn.com
* yahoo.com
* mail.com
* iname.com
* lycos.com
* excite.com
* Qualcomm Eudora

The code published by SkyLined is obviously a slightly altered version of
the data binding code that appears in GM#001-IE (even the elements id's
remained the same), so we feel that an acknowledgment was in place.

Either way, we were planning to release this after we had the opportunity to
contact each and every vendor in the above list, but since this is out in
the open there's no reason for that now.

A little example of embedding an iframe:

<xml id="filter">
<i><b>
&lt;iframe
src="http://security.greymagic.com/adv/gm001-ie/"&gt;&lt;/iframe&gt;
</b></i>
</xml>
<span datafld="b" dataformatas="html" datasrc="#filter"></span>

When trying to inject script into yahoo (and others) using events such as
onerror, yahoo tries to filter them out even if they appear inside the <xml>
element. This can be easily bypassed by using o&#110;error instead of
onerror, for example.

Regards.

-----Original Message-----
From: Berend-Jan Wever [mailto:skylined () edup tudelft nl]
Sent: Sunday, April 21, 2002 12:50
To: bugtraq () securityfocus com
Subject: Re: Cross site scripting in almost every mayor website




Been there, done that.



I have successfully created a worm and tested it

before trying to report this to McAfee, they do the

vrus scanning for hotmail. I got a "you are not a

registered user" auto-reply and they ignored my

messages because I wasn't in their files ;( too bad

for them.

You do have full access to the DOM of Hotmail

when you can find a way to cross-site script, thus

allowing you full access to the inbox, address

book etc...



BJ

----- Original Message -----

From: FozZy

To: bugtraq () securityfocus com

Cc: skylined () edup tudelft nl ; vuln-

dev () securityfocus com

Sent: Sunday, April 21, 2002 3:53

Subject: Re: Cross site scripting in almost every

mayor website





To webmail developpers : there is something

interesting for you hidden in this post. The

Hotmail problem was a "evil html filtering" problem

in incoming e-mails. It was possible to bypass the

filter by injecting javascript with XML, when

parsed with IE.  See :

http://spoor12.edup.tudelft.nl/SkyLined/docs/ie.hot

mail.howto.css.html



*** I guess that many other webmails are

vulnerable to this attack. ***



I verified that Yahoo is vulnerable with IE 5.5 (but

they have other bugs and they don't care, see

http://online.securityfocus.com/archive/1/265464).

I did not checked other webmails, but I am sure

almost every one can be cracked this way.



> The fix: as far as I could find out they now

replace

> the properties 'dataFld', 'dataFormatAs'

> and 'dataSrc' of any HTML tag

> with 'xdataFld', 'xdataFormatAs' and 'xdataSrc'

to

> prevent XML generation of HTML alltogether.



The implication of executing javascript is that an

incoming email can control the mailbox of the

user.  It is also possible to send the session

cookie to a cgi script and read remotely all the e-

mails. (BTW, it is still possible to do that on

Hotmail and on almost every webmail, since they

don't check the IP address, even without this XML

trick cause their filters are sooo bad)

I fear that a cross-platform and cross-site webmail

worm deleting all the emails and spreading could

appear in the near future. Please Hotmail Yahoo

& co, do something before it comes true...



FozZy



Hackademy / Hackerz Voice

http://www.dmpfrance.com/inted.html