Re: Cross site scripting in almost every mayor website

[FozZy <fozzy () dmpfrance com>]

Hello,

Right, all credits go to you, of course.
I thought it was written on Berend-Jan's site.

I think it is interesting to discuss the disclosure policy in this particular case. This flaw affects almost every 
webmail, not only "big" ones. A lot of people in different countries use small webmails embedded in "national" web 
portals. There are hundreds of them, and obviously it is impossible not to forget a site. Not to mention the time spent 
trying to find the right contact for each one company.
So there are two possibilities : contacting only the "big" companies and wait for them to patch (during this time the 
other webmails are at risk but they don't know about it) or going public directly (small companies can apply a patch at 
the same time as big ones, no discrimination, but more users at risk during a small amount of time). This apply also to 
other situations, in my opinion it's like when you discover a new exploitation technic breaking many systems (timing 
analysis...) you send it to Microsoft before going public.

What is best ?

I apologize if the same kind of problem was discussed before on the mailing-list.

Regards,

FozZy

Hackademy / Hackerz Voice
http://www.dmpfrance.com/inted.html

On Tue, 23 Apr 2002 22:43:38 +0200
"GreyMagic Software" <security () greymagic com> wrote:

> Hello,
>
> We have discovered this quite a while ago (when investigating GM#001-IE,
> actually) and have verified it to work on the following
> services/applications:
>
> * hotmail.com
> * msn.com
> * yahoo.com
> * mail.com
> * iname.com
> * lycos.com
> * excite.com
> * Qualcomm Eudora
>
> The code published by SkyLined is obviously a slightly altered version of
> the data binding code that appears in GM#001-IE (even the elements id's
> remained the same), so we feel that an acknowledgment was in place.
>
> Either way, we were planning to release this after we had the opportunity to
> contact each and every vendor in the above list, but since this is out in
> the open there's no reason for that now.
>
> A little example of embedding an iframe:
>
> <xml id="filter">
> <i><b>
> &lt;iframe
> src="http://security.greymagic.com/adv/gm001-ie/"&gt;&lt;/iframe&gt;
> </b></i>
> </xml>
> <span datafld="b" dataformatas="html" datasrc="#filter"></span>
>
> When trying to inject script into yahoo (and others) using events such as
> onerror, yahoo tries to filter them out even if they appear inside the <xml>
> element. This can be easily bypassed by using o&#110;error instead of
> onerror, for example.
>
> Regards.
>
> -----Original Message-----
> From: Berend-Jan Wever [mailto:skylined () edup tudelft nl]
> Sent: Sunday, April 21, 2002 12:50
> To: bugtraq () securityfocus com
> Subject: Re: Cross site scripting in almost every mayor website
>
>
>
>
> Been there, done that.
>
>
>
> I have successfully created a worm and tested it
>
> before trying to report this to McAfee, they do the
>
> vrus scanning for hotmail. I got a "you are not a
>
> registered user" auto-reply and they ignored my
>
> messages because I wasn't in their files ;( too bad
>
> for them.
>
> You do have full access to the DOM of Hotmail
>
> when you can find a way to cross-site script, thus
>
> allowing you full access to the inbox, address
>
> book etc...
>
>
>
> BJ
>
> ----- Original Message -----
>
> From: FozZy
>
> To: bugtraq () securityfocus com
>
> Cc: skylined () edup tudelft nl ; vuln-
>
> dev () securityfocus com
>
> Sent: Sunday, April 21, 2002 3:53
>
> Subject: Re: Cross site scripting in almost every
>
> mayor website
>
>
>
>
>
> To webmail developpers : there is something
>
> interesting for you hidden in this post. The
>
> Hotmail problem was a "evil html filtering" problem
>
> in incoming e-mails. It was possible to bypass the
>
> filter by injecting javascript with XML, when
>
> parsed with IE.  See :
>
> http://spoor12.edup.tudelft.nl/SkyLined/docs/ie.hot
>
> mail.howto.css.html
>
>
>
> *** I guess that many other webmails are
>
> vulnerable to this attack. ***
>
>
>
> I verified that Yahoo is vulnerable with IE 5.5 (but
>
> they have other bugs and they don't care, see
>
> http://online.securityfocus.com/archive/1/265464).
>
> I did not checked other webmails, but I am sure
>
> almost every one can be cracked this way.
>
>
>
> > The fix: as far as I could find out they now
>
> replace
>
> > the properties 'dataFld', 'dataFormatAs'
>
> > and 'dataSrc' of any HTML tag
>
> > with 'xdataFld', 'xdataFormatAs' and 'xdataSrc'
>
> to
>
> > prevent XML generation of HTML alltogether.
>
>
>
> The implication of executing javascript is that an
>
> incoming email can control the mailbox of the
>
> user.  It is also possible to send the session
>
> cookie to a cgi script and read remotely all the e-
>
> mails. (BTW, it is still possible to do that on
>
> Hotmail and on almost every webmail, since they
>
> don't check the IP address, even without this XML
>
> trick cause their filters are sooo bad)
>
> I fear that a cross-platform and cross-site webmail
>
> worm deleting all the emails and spreading could
>
> appear in the near future. Please Hotmail Yahoo
>
> & co, do something before it comes true...
>
>
>
> FozZy
>
>
>
> Hackademy / Hackerz Voice
>
> http://www.dmpfrance.com/inted.html