SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Client)  >   Yahoo Mail Vendors:   Yahoo
Yahoo Mail May Allow a Worm to Send Mail to Other Destinations Listed in a Remote User's Inbox
SecurityTracker Alert ID:  1001660
SecurityTracker URL:  http://securitytracker.com/id/1001660
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jun 1 2001
Original Entry Date:  Jun 1 2001
Impact:   Execution of arbitrary code via network
Exploit Included:  Yes  

Description:   A vulnerability has been reported in Yahoo Mail that reportedly makes it possible for a remote user to send e-mail to a recipient containing Javascript code in a link that will be executed if the link is clicked. The Javascript code could then automatically send mail to all of the destinations listed in the recipient's inbox without user intervention.

To trigger the cross-site scripting vulnerability, a remote user can send an e-mail message to the target recipient, where the e-mail contains a link to Yahoo's own server. If the link contains escaped Javascript, it will be executed when the recipient clicks on the link (this is a requirement). That javascript could then open a window on the recipient's browser that could nagivate through the recipient's inbox, sending messages to all e-mail addresses listed in the recipient's inbox. Because the malicious javascript code is executing inside a page from the mail service's own server, there will reportedly be no domain-bounding error when the javascript is controlling the window with the victim's inbox.

Some sample links and the worm code are available at:
http://www.sidesport.com/webworm/

The vendor was reportedly notified.

Impact:   A remote user could send e-mail containing Javascript code that, when clicked by the Yahoo Mail recipient, will send out mail to all of the addresses listed in the recipient's inbox.
Solution:   No solution was available at the time of this entry.
Vendor URL:  mail.yahoo.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), Apple (Legacy "classic" Mac), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Yahoo/Hotmail scripting vulnerability, worm propagation


--Hushpart_boundary_dAfMJfpqUApfpvnobyxrXSpSoIJaULVu
Content-type: text/plain

Title: Yahoo/Hotmail scripting vulnerability, worm propagation


Synopsis

Cross-site-scripting holes in Yahoo and Hotmail make it possible to replicate 
a Melissa-type worm through those webmail services.


Description

An email is sent to the victim, who uses Yahoo Mail or Hotmail. Inside the 
email is a link to yahoo or hotmail's own server. The link contains escaped 
javascript that is executed when the page is loaded. That javascript then 
opens a window that could nagivate through the victim's inbox, sending messages 
with the malicious link to every email address it finds in the inbox. Because 
the malicious javascript executes inside a page from the mail service's 
own server, there is no domain-bounding error when the javascript is controlling 
the window with the victim's inbox.


Who is vulnerable

Users of the Yahoo Mail and Hotmail service. Although the exploit requires 
a user to click on a link, two things work for this exploit. (1) The email 
comes from a familiar user (sent by the worm), and (2) The link is to a 
familiar, trusted server. Theoretically, more services are vulnerable, due 
to the proliferation of these holes, but the worm is limited to web mail 
services.


Proof-of-Concept

Sample links and the worm code can be found at: http://www.sidesport.com/webworm/


Solution

Escaping all query data that is echoed to the screen eliminates this problem. 
This must be done on every page on a server that can send or read mail for 
the service.


Vendor Status

Both Yahoo and Hotmail were notified on May 23 2001.


-mparcens
mparcens@hushmail.com

Free, encrypted, secure Web-based email at www.hushmail.com
--Hushpart_boundary_dAfMJfpqUApfpvnobyxrXSpSoIJaULVu--


IMPORTANT NOTICE:  If you are not using HushMail, this message could have been read easily by the many people who have access to your
 open personal email messages.
Get your FREE, totally secure email address at http://www.hushmail.com.




 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC