Hey all, See attachment (myownemail.com.txt) Cheers, elab http://elaboration.8bit.co.uk _____________________________________________ Free email with personality! Over 200 domains! http://www.MyOwnEmail.com
Title: XSS + Info leak @ www.myownemail.com Date: 22.03.02 Author: elab (http://elaboration.8bit.co.uk) Problem: Cross site scripting problems as well as web root exposure Vendor Status: Contacted on: 16:00 GMT 12 March 02 Via: msp@myownemail.com Response: None Summary: Certain script variables in certain URLs at MOE owned web sites can be replaced with a scripting language like JavaScript. When an unknowing user clicks on such a URL the JS will be executed. Below is a copy of the email that was sent to the vendor (contact address was taken from the help link @ www.mystartingpage.com). --8<-- Hey guys, I found a few problems that you might want to be made aware of. http://www.mystartingpage.com/default.cfm?p=<script>alert("test");</script> http://trust-me.com/moe4/mail/ReadMessage.cfm?num_messages=<script>alert("test");</script>&message=04&domain=trust-me.com&UID=[hash]&CurrentFolder=inbox&cb=045 The second one I left my UID hash out of but it needs a valid hash to work. The first also reveals your web root. I refer you to http://www.wiretrip.net/rfp/policy.html. elab http://elaboration.8bit.co.uk --8<-- Post contacting the vendor a third problem was found: http://www.myownemail.com/moe4/login/mailpassword.cfm?username=<script>alert("test");</script>&domain=trust-me.com Due to lack of response from vendor no attempt was made to inform them of this third problem. Solution: None as of release date. Vendor: The vendor was contacted via msp@myownemail.com on 16:00 GMT 12 March 02 and failed to respond. CC'ed a copy of this advisory. Notes: MOE seem to use a one way hash to authenticate their users. This seems to take the form of a 302 Object Moved which redirects the client to a URL containing a UID hash calculated server side. Little, if any information is contained in the cookies issued by the server which lessens the impact of the above issues. Also, the web root exposure is likely due to the version of the scripting engine they are using, rather than a problem with their scripts. This advisory is also available from http://elaboration.8bit.co.uk Disclaimer: All of the above information could well be wrong..judge for yourself.
