COMMAND

    Cross-site-scripting

SYSTEMS AFFECTED

    Yahoo/Hotmail

PROBLEM

    'mparcens' found following.   Cross-site-scripting holes in  Yahoo
    and  Hotmail  make  it  possible  to replicate a Melissa-type worm
    through those webmail services.

    An email is sent  to the victim, who  uses Yahoo Mail or  Hotmail.
    Inside the email is a link to yahoo or hotmail's own server.   The
    link contains escaped  javascript that is  executed when the  page
    is  loaded.   That  javascript  then  opens  a  window  that could
    nagivate through  the victim's  inbox, sending  messages with  the
    malicious  link  to  every  email  address  it finds in the inbox.
    Because the malicious javascript  executes inside a page  from the
    mail service's own server, there is no domain-bounding error  when
    the javascript is controlling the window with the victim's inbox.

    Users  of  the  Yahoo  Mail  and  Hotmail  service are vulnerable.
    Although  the  exploit  requires  a  user  to click on a link, two
    things work for this exploit:
    (1) The email comes from a familiar user (sent by the worm), and
    (2) The link is to a familiar, trusted server.

    Theoretically,  more   services  are   vulnerable,  due   to   the
    proliferation of these holes, but the worm is limited to web  mail
    services.

    Sample links and the worm code can be found at:

        http://www.sidesport.com/webworm/

SOLUTION

    Escaping all query  data that is  echoed to the  screen eliminates
    this problem.  This  must be done on  every page on a  server that
    can send or read mail for the service.