|
|
#1
November 14th, 2002, 08:29 AM
|
||||
|
||||
Web-mail vulnerability
This is an excerpt from an article I found at: www.dsinet.org
" ------------------------------------------------------- XSS/Cookie problems at major (webmail) sites Advisory ------------------------------------------------------- XSS/Cookie problems at major (webmail) sites 13/11/02 - by "N|ghtHawk" Thijs Bosschert (nighthawk_at_hackers4hackers.org) ---------------------- Introduction: ---------------------- After finding a XSS/Cookie bug in the lycos.com mail site[0], I wondered if it was the only site with those problems. I found out that more sites got the same problem. This advisory gives three other sites to show the problem, and explains what the problem is. ---------------------- Vendor Information: ---------------------- Homepage : http://www.hotmail.com Vendor informed About bug : - Mailed advisory: 11/11/02 Vender Response : none (yet?) Status : Cookie capturing still possible Homepage : http://www.yahoo.com Vendor informed About bug : 03/11/02 Mailed advisory: 03/11/02 Vender Response : none (yet?) Status : Cookie capturing still possible Homepage : http://www.excite.com Vendor informed About bug : 11/11/02 Mailed advisory: 11/11/02 Vender Response : 1 autoreply Status : Cookie capturing still possible ---------------------- Affected Versions: ---------------------- Tested on: - hotmail.com webmail - yahoo.com Webmail - excite.com webmail Not tested on: - Other MSN/Passport services - Other yahoo services - Other excite services ---------------------- Description: ---------------------- What is Hotmail? ------------- - http://www.hotmail.com - Hotmail is the world's largest provider of free, Web-based e-mail. It is based on the premise that e-mail access should be easy and possible from any computer connected to the World Wide Web. Hotmail eliminates the disparities among e-mail programs by adhering to the universal Hypertext Transfer Protocol (HTTP) standard. Sending and receiving e-mail from Hotmail is easy: go to the Hotmail Web site at http://www.hotmail.com or click the Hotmail link at http://www.msn.com, sign in, and send an e-mail message. By using a Web browser as a universal e-mail program, Hotmail lets you stay connected anywhere in the world. What is Yahoo? ------------- - http://www.yahoo.com/ - "Yahoo currently provides users with access to a rich collection of resources, including, various communications tools, forums, shopping services, personalized content and branded programming through its network of properties (the "Service"). " - http://mail.yahoo.com - "Yahoo! Mail is one of the Internet's most popular free e-mail services. Access your e-mail account from anywhere With Yahoo! Mail, you have access to your email from any Internet-connected computer in the world. Whether you are at a cafe, in a library, at work or at home, with Yahoo! Mail, your email address is the same and your account is accessible from all locations. " What is Excite? ------------- - http://www.excite.com - Excite is a multi-purpose service which allows you to use or access a wealth of products and services, including e-mail, search services, chat rooms and bulletin boards, shopping services, news, financial information and broad range of other content (collectively the "Excite Service"). ---------------------- Vulnerability: ---------------------- All of the above named sites use cookies with their mailservices. Also do these sites have more than one service, and for the different services have different hostnames/servers. The problem in this is that with finding a XSS bug in one of the many services there could be made a XSS request to get the cookie of the mailservice. ---------------------- Exploit: ---------------------- The XSS bugs can be exploited by letting people click a link in an email. Other ways to exploit this are: - Giving people links through instant messengers. - Put javascript in any homepage, which will open the xss bug. Can be exploited for example in: - Not good filtered forums - Not good filtered guestbooks - Give people a url which will redirect them to the XSS bug. And people can think of other ways as well, actually it isn't really safe to surf on the internet with a webmail account if the servers aren't fully secure. All the links above are going to a perl script. This script (rompigema.pl) will get the cookie and the referrer of the 'victim', then it will make a request to the server to get the frontpage, inbox or an email from the 'victim'. ---------------------- Patch: ---------------------- Well, it's up to the sites to patch this. It would be a good idea to not put insecure scripts on a server which uses the same cookies as your mailsystem. Also I really think an idea like HttpOnly[1] would be a good start in getting rid of all the XSS bugs." As always: watch out what you click, Pieter
__________________
Regards, Pieter It´s nice to be important, but it´s more important to be nice. Remove & Prevent spyware It's human to make mistakes. It's even more so to blame the computer for it. |
|
#2
January 7th, 2003, 10:21 AM
|
|||
|
|||
|
Re:Web-mail vulnerability
Hmm I don't know about this vulnerability, but once, I managed to access the webemail of a visitor who visited my site from an email in his mail,following the referrer allowed me to acces his email account. I didn't even realise what was happening until where, because I have the habit of randomly checking unfamilar referrers.
It was yahoomail. I'm guessing this is a problem for most web-based emails, espically if the user does not log out properly and it hasn't timed out.. I've read about it before but to see it actually happen was a eyeopener to say the least. |
| « Previous Thread | Next Thread » |
| Thread Tools | Search this Thread |
|
|
