Title: Yahoo/Hotmail scripting vulnerability, worm propagation
Synopsis
Cross-site-scripting holes in Yahoo and Hotmail make it possible to replicate
a Melissa-type worm through those webmail services.
Description
An email is sent to the victim, who uses Yahoo Mail or Hotmail. Inside the
email is a link to yahoo or hotmail's own server. The link contains escaped
javascript that is executed when the page is loaded. That javascript then
opens a window that could nagivate through the victim's inbox, sending messages
with the malicious link to every email address it finds in the inbox. Because
the malicious javascript executes inside a page from the mail service's
own server, there is no domain-bounding error when the javascript is controlling
the window with the victim's inbox.
Who is vulnerable
Users of the Yahoo Mail and Hotmail service. Although the exploit requires
a user to click on a link, two things work for this exploit. (1) The email
comes from a familiar user (sent by the worm), and (2) The link is to a
familiar, trusted server. Theoretically, more services are vulnerable, due
to the proliferation of these holes, but the worm is limited to web mail
services.
Proof-of-Concept
Sample links and the worm code can be found at: http://www.sidesport.com/webworm/
Solution
Escaping all query data that is echoed to the screen eliminates this problem.
This must be done on every page on a server that can send or read mail for
the service.
Vendor Status
Both Yahoo and Hotmail were notified on May 23 2001.
-mparcens
[EMAIL PROTECTED]
Free, encrypted, secure Web-based email at www.hushmail.com
