Title:		XSS + Info leak @ www.myownemail.com
 Date:		22.03.02
 Author:	elab (http://elaboration.8bit.co.uk)
 Problem:	Cross site scripting problems as well as web root exposure
 Vendor Status:	Contacted on:	16:00 GMT 12 March 02 	
 		Via:		msp () myownemail com 		 
		Response:	None


 Summary:
		Certain script variables in certain URLs at MOE owned web sites 
		can be replaced with a scripting language like JavaScript.  When
		an unknowing user clicks on such a URL the JS will be executed.

		Below is a copy of the email that was sent to the vendor
		(contact address was taken from the help link @
		www.mystartingpage.com).
--8<--

Hey guys,

I found a few problems that you might want to be made aware of.

http://www.mystartingpage.com/default.cfm?p=<script>alert("test");</script>

http://trust-me.com/moe4/mail/ReadMessage.cfm?num_messages=<script>alert("test");</script>&message=04&domain=trust-me.com&UID=[hash]&CurrentFolder=inbox&cb=045

The second one I left my UID hash out of but it needs a valid hash to work.  The first also reveals your web root.

I refer you to http://www.wiretrip.net/rfp/policy.html.

elab 
http://elaboration.8bit.co.uk

--8<--

		Post contacting the vendor a third problem was found:

		http://www.myownemail.com/moe4/login/mailpassword.cfm?username=<script>alert("test");</script>&domain=trust-me.com

		Due to lack of response from vendor no attempt was made to
		inform them of this third problem.

 Solution:	
 		None as of release date.

 Vendor:
 		The vendor was contacted via msp () myownemail com on 16:00 GMT 12
		March 02 and failed to respond.

		CC'ed a copy of this advisory.

 Notes:
		MOE seem to use a one way hash to authenticate their users.  
		This seems to take the form of a 302 Object Moved which
		redirects the client to a URL containing a UID hash calculated 
		server side.  Little, if any information is contained in the 
		cookies issued by the server which lessens the impact of the 
		above issues.

		Also, the web root exposure is likely due to the version of the
		scripting engine they are using, rather than a problem with
		their scripts.

		This advisory is also available from 
		http://elaboration.8bit.co.uk

 Disclaimer:
 		All of the above information could well be wrong..judge for
		yourself.