Pieter_Arntz
November 14th, 2002, 08:29 AM
This is an excerpt from an article I found at: www.dsinet.org
"
-------------------------------------------------------
XSS/Cookie problems at major (webmail) sites Advisory
-------------------------------------------------------
XSS/Cookie problems at major (webmail) sites
13/11/02
- by "N|ghtHawk" Thijs Bosschert (nighthawk_at_hackers4hackers.org)
----------------------
Introduction:
----------------------
After finding a XSS/Cookie bug in the lycos.com mail site[0], I
wondered if it was the only site with those problems. I found out
that more sites got the same problem. This advisory gives three
other sites to show the problem, and explains what the problem is.
----------------------
Vendor Information:
----------------------
Homepage : http://www.hotmail.com
Vendor informed
About bug : -
Mailed advisory: 11/11/02
Vender Response : none (yet?)
Status : Cookie capturing still possible
Homepage : http://www.yahoo.com
Vendor informed
About bug : 03/11/02
Mailed advisory: 03/11/02
Vender Response : none (yet?)
Status : Cookie capturing still possible
Homepage : http://www.excite.com
Vendor informed
About bug : 11/11/02
Mailed advisory: 11/11/02
Vender Response : 1 autoreply
Status : Cookie capturing still possible
----------------------
Affected Versions:
----------------------
Tested on:
- hotmail.com webmail
- yahoo.com Webmail
- excite.com webmail
Not tested on:
- Other MSN/Passport services
- Other yahoo services
- Other excite services
----------------------
Description:
----------------------
What is Hotmail?
-------------
- http://www.hotmail.com
- Hotmail is the world's largest provider of free, Web-based
e-mail. It is based on the premise that e-mail access
should be easy and possible from any computer connected to
the World Wide Web. Hotmail eliminates the disparities
among e-mail programs by adhering to the universal Hypertext
Transfer Protocol (HTTP) standard. Sending and receiving
e-mail from Hotmail is easy: go to the Hotmail Web site at
http://www.hotmail.com or click the Hotmail link at
http://www.msn.com, sign in, and send an e-mail message. By
using a Web browser as a universal e-mail program, Hotmail
lets you stay connected anywhere in the world.
What is Yahoo?
-------------
- http://www.yahoo.com/
- "Yahoo currently provides users with access to a rich
collection of resources, including, various communications
tools, forums, shopping services, personalized content and
branded programming through its network of properties (the
"Service"). "
- http://mail.yahoo.com
- "Yahoo! Mail is one of the Internet's most popular free
e-mail services.
Access your e-mail account from anywhere
With Yahoo! Mail, you have access to your email from any
Internet-connected computer in the world. Whether you are
at a cafe, in a library, at work or at home, with Yahoo!
Mail, your email address is the same and your account is
accessible from all locations. "
What is Excite?
-------------
- http://www.excite.com
- Excite is a multi-purpose service which allows you to use
or access a wealth of products and services, including
e-mail, search services, chat rooms and bulletin boards,
shopping services, news, financial information and broad
range of other content (collectively the "Excite Service").
----------------------
Vulnerability:
----------------------
All of the above named sites use cookies with their mailservices.
Also do these sites have more than one service, and for the
different services have different hostnames/servers.
The problem in this is that with finding a XSS bug in one of the
many services there could be made a XSS request to get the cookie
of the mailservice.
----------------------
Exploit:
----------------------
The XSS bugs can be exploited by letting people click a link in an email.
Other ways to exploit this are:
- Giving people links through instant messengers.
- Put javascript in any homepage, which will open the xss bug.
Can be exploited for example in:
- Not good filtered forums
- Not good filtered guestbooks
- Give people a url which will redirect them to the XSS bug.
And people can think of other ways as well, actually it isn't
really safe to surf on the internet with a webmail account if
the servers aren't fully secure.
All the links above are going to a perl script. This script
(rompigema.pl) will get the cookie and the referrer of the 'victim',
then it will make a request to the server to get the frontpage,
inbox or an email from the 'victim'.
----------------------
Patch:
----------------------
Well, it's up to the sites to patch this. It would be a good idea
to not put insecure scripts on a server which uses the same
cookies as your mailsystem.
Also I really think an idea like HttpOnly[1] would be a good start
in getting rid of all the XSS bugs."
As always: watch out what you click,
Pieter
"
-------------------------------------------------------
XSS/Cookie problems at major (webmail) sites Advisory
-------------------------------------------------------
XSS/Cookie problems at major (webmail) sites
13/11/02
- by "N|ghtHawk" Thijs Bosschert (nighthawk_at_hackers4hackers.org)
----------------------
Introduction:
----------------------
After finding a XSS/Cookie bug in the lycos.com mail site[0], I
wondered if it was the only site with those problems. I found out
that more sites got the same problem. This advisory gives three
other sites to show the problem, and explains what the problem is.
----------------------
Vendor Information:
----------------------
Homepage : http://www.hotmail.com
Vendor informed
About bug : -
Mailed advisory: 11/11/02
Vender Response : none (yet?)
Status : Cookie capturing still possible
Homepage : http://www.yahoo.com
Vendor informed
About bug : 03/11/02
Mailed advisory: 03/11/02
Vender Response : none (yet?)
Status : Cookie capturing still possible
Homepage : http://www.excite.com
Vendor informed
About bug : 11/11/02
Mailed advisory: 11/11/02
Vender Response : 1 autoreply
Status : Cookie capturing still possible
----------------------
Affected Versions:
----------------------
Tested on:
- hotmail.com webmail
- yahoo.com Webmail
- excite.com webmail
Not tested on:
- Other MSN/Passport services
- Other yahoo services
- Other excite services
----------------------
Description:
----------------------
What is Hotmail?
-------------
- http://www.hotmail.com
- Hotmail is the world's largest provider of free, Web-based
e-mail. It is based on the premise that e-mail access
should be easy and possible from any computer connected to
the World Wide Web. Hotmail eliminates the disparities
among e-mail programs by adhering to the universal Hypertext
Transfer Protocol (HTTP) standard. Sending and receiving
e-mail from Hotmail is easy: go to the Hotmail Web site at
http://www.hotmail.com or click the Hotmail link at
http://www.msn.com, sign in, and send an e-mail message. By
using a Web browser as a universal e-mail program, Hotmail
lets you stay connected anywhere in the world.
What is Yahoo?
-------------
- http://www.yahoo.com/
- "Yahoo currently provides users with access to a rich
collection of resources, including, various communications
tools, forums, shopping services, personalized content and
branded programming through its network of properties (the
"Service"). "
- http://mail.yahoo.com
- "Yahoo! Mail is one of the Internet's most popular free
e-mail services.
Access your e-mail account from anywhere
With Yahoo! Mail, you have access to your email from any
Internet-connected computer in the world. Whether you are
at a cafe, in a library, at work or at home, with Yahoo!
Mail, your email address is the same and your account is
accessible from all locations. "
What is Excite?
-------------
- http://www.excite.com
- Excite is a multi-purpose service which allows you to use
or access a wealth of products and services, including
e-mail, search services, chat rooms and bulletin boards,
shopping services, news, financial information and broad
range of other content (collectively the "Excite Service").
----------------------
Vulnerability:
----------------------
All of the above named sites use cookies with their mailservices.
Also do these sites have more than one service, and for the
different services have different hostnames/servers.
The problem in this is that with finding a XSS bug in one of the
many services there could be made a XSS request to get the cookie
of the mailservice.
----------------------
Exploit:
----------------------
The XSS bugs can be exploited by letting people click a link in an email.
Other ways to exploit this are:
- Giving people links through instant messengers.
- Put javascript in any homepage, which will open the xss bug.
Can be exploited for example in:
- Not good filtered forums
- Not good filtered guestbooks
- Give people a url which will redirect them to the XSS bug.
And people can think of other ways as well, actually it isn't
really safe to surf on the internet with a webmail account if
the servers aren't fully secure.
All the links above are going to a perl script. This script
(rompigema.pl) will get the cookie and the referrer of the 'victim',
then it will make a request to the server to get the frontpage,
inbox or an email from the 'victim'.
----------------------
Patch:
----------------------
Well, it's up to the sites to patch this. It would be a good idea
to not put insecure scripts on a server which uses the same
cookies as your mailsystem.
Also I really think an idea like HttpOnly[1] would be a good start
in getting rid of all the XSS bugs."
As always: watch out what you click,
Pieter