Been there, done that.
I have successfully created a worm and tested it
before trying to report this to McAfee, they do the
vrus scanning for hotmail. I got a "you are not a
registered user" auto-reply and they ignored my
messages because I wasn't in their files ;( too bad
for them.
You do have full access to the DOM of Hotmail
when you can find a way to cross-site script, thus
allowing you full access to the inbox, address
book etc...
BJ
----- Original Message -----
From: FozZy
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED] ; vuln-
[EMAIL PROTECTED]
Sent: Sunday, April 21, 2002 3:53
Subject: Re: Cross site scripting in almost every
mayor website
To webmail developpers : there is something
interesting for you hidden in this post. The
Hotmail problem was a "evil html filtering" problem
in incoming e-mails. It was possible to bypass the
filter by injecting javascript with XML, when
parsed with IE. See :
http://spoor12.edup.tudelft.nl/SkyLined/docs/ie.hot
mail.howto.css.html
*** I guess that many other webmails are
vulnerable to this attack. ***
I verified that Yahoo is vulnerable with IE 5.5 (but
they have other bugs and they don't care, see
http://online.securityfocus.com/archive/1/265464).
I did not checked other webmails, but I am sure
almost every one can be cracked this way.
> The fix: as far as I could find out they now
replace
> the properties 'dataFld', 'dataFormatAs'
> and 'dataSrc' of any HTML tag
> with 'xdataFld', 'xdataFormatAs' and 'xdataSrc'
to
> prevent XML generation of HTML alltogether.
The implication of executing javascript is that an
incoming email can control the mailbox of the
user. It is also possible to send the session
cookie to a cgi script and read remotely all the e-
mails. (BTW, it is still possible to do that on
Hotmail and on almost every webmail, since they
don't check the IP address, even without this XML
trick cause their filters are sooo bad)
I fear that a cross-platform and cross-site webmail
worm deleting all the emails and spreading could
appear in the near future. Please Hotmail Yahoo
& co, do something before it comes true...
FozZy
Hackademy / Hackerz Voice
http://www.dmpfrance.com/inted.html