TOPIC: accounts vulnerable to script attack. ADVISORY NR: 200101 DATE: 12-09-01 VULNERABILITY FOUND AND WRITTEN BY: 1; (One Semicolon) CONTACT INFORMATION: STATUS was contacted on September 5, 2001 using the support form. No reply was received. DESCRIPTION is a web based mail service that lets you choose from a large amount of domains to get a personalized email account. This vulnerability was tested to work in Internet Explorer 5.5 and Netscape Navigator 4.73. VULNERABILITY Whenever you login to a Myownemail account the inbox is opened. If you send a email with a specially formed "from" field, which usually contains a name, you can execute javascript, vbscript, etc. on the computer of the person who logged in. FIX has not yet fixed this to my knowledge. FINAL NOTES Recently a advisory was posted on Bugtraq about a similar bug in Hotmail. This advisory was not written because of that. I found this particular problem on September 5th. On the same day I contacted I sent Myownemail a simple proof of concept, because it is easy enough to make this work I do not see the need to produce example code.