mailing list archives
RE: Yahoo/Hotmail scripting vulnerability, worm propagation
From: "Microsoft Security Response Center" <secure () microsoft com>
Date: Thu, 31 May 2001 16:24:14 -0700
-----BEGIN PGP SIGNED MESSAGE-----
We are investigating this matter thoroughly and aggressively to
determine whether or not it is valid. Contrary to the poster's
claim, we have not received any direct communications on this
possible (or alleged) vulnerability.
secure () microsoft com
- -----Original Message-----
From: mparcens () hushmail com [mailto:mparcens () hushmail com]
Sent: Wednesday, May 30, 2001 5:18 PM
To: bugtraq () securityfocus com
Subject: Yahoo/Hotmail scripting vulnerability, worm propagation
Title: Yahoo/Hotmail scripting vulnerability, worm propagation
Cross-site-scripting holes in Yahoo and Hotmail make it possible to
a Melissa-type worm through those webmail services.
An email is sent to the victim, who uses Yahoo Mail or Hotmail.
email is a link to yahoo or hotmail's own server. The link contains
opens a window that could nagivate through the victim's inbox,
with the malicious link to every email address it finds in the inbox.
the window with the victim's inbox.
Who is vulnerable
Users of the Yahoo Mail and Hotmail service. Although the exploit
a user to click on a link, two things work for this exploit. (1) The
comes from a familiar user (sent by the worm), and (2) The link is to
familiar, trusted server. Theoretically, more services are
to the proliferation of these holes, but the worm is limited to web
Sample links and the worm code can be found at:
Escaping all query data that is echoed to the screen eliminates this
This must be done on every page on a server that can send or read
Both Yahoo and Hotmail were notified on May 23 2001.
mparcens () hushmail com
Free, encrypted, secure Web-based email at www.hushmail.com
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
-----END PGP SIGNATURE-----
- RE: Yahoo/Hotmail scripting vulnerability, worm propagation Microsoft Security Response Center (Jun 01)