TOPIC: Myownemail.com accounts vulnerable to script attack.
ADVISORY NR: 200101
DATE: 12-09-01
VULNERABILITY FOUND AND WRITTEN BY: 1; (One Semicolon)

CONTACT INFORMATION:
http://onesemicolon.cjb.net
meonesemicolon.cjb.net

STATUS
Myownemail.com was contacted on September 5, 2001 using the support form.
No reply was received.

DESCRIPTION
Myownemail.com is a web based mail service that lets you choose from a large
amount of domains to get a personalized email account. This vulnerability was
tested to work in Internet Explorer 5.5 and Netscape Navigator 4.73.

VULNERABILITY
Whenever you login to a Myownemail account the inbox is opened. If you send a email
with a specially formed "from" field, which usually contains a name, you can
execute javascript, vbscript, etc. on the computer of the person who logged in.

FIX
Myownemail.com has not yet fixed this to my knowledge.

FINAL NOTES
Recently a advisory was posted on Bugtraq about a similar bug in Hotmail. This
advisory was not written because of that. I found this particular problem on
September 5th. On the same day I contacted Myownemail.com.
I sent Myownemail a simple proof of concept, because it is easy enough to make
this work I do not see the need to produce example code.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]