Return-Path: <onesemicolononesemicolon.cjb.net>
Received: (qmail 24085 invoked from network); 13 Sep 2001 00:37:29 -0000
Received: from mail.cjb.net (216.194.70.5)
  by 199.233.98.101 with SMTP; 13 Sep 2001 00:37:29 -0000
Received: (from nobodylocalhost)
        by mail.cjb.net (8.11.5/8.11.5) id f8D0Tmd21434;
        Wed, 12 Sep 2001 18:29:48 -0600 (MDT)
Date: Wed, 12 Sep 2001 18:29:48 -0600 (MDT)
Message-Id: <200109130029.f8D0Tmd21434mail.cjb.net>
Received: from onesemicolon ([216.209.98.114])
        by mail.cjb.net (Apache/1.3.20 (Unix)) with HTTP/1.1
        for <vulnwatchvulnwatch.org>; Wed Sep 12 18:29:44 MDT 2001
To: vulnwatchvulnwatch.org
From: onesemicolononesemicolon.cjb.net
Subject:

TOPIC: Hushmail.com accounts vulnerable to script attack.
ADVISORY NR: 200102
DATE: 12-09-01
VULNERABILITY FOUND AND WRITTEN BY: 1; (One Semicolon)

CONTACT INFORMATION:
http://onesemicolon.cjb.net
meonesemicolon.cjb.net

STATUS: Hushmail.com was contacted on September 5, 2001 using the support form.
No reply was received.

DESCRIPTION
Hushmail.com is a web based mail service that promotes itself as a secure
solution. This vulnerability was tested to work in Internet Explorer 5.5.

VULNERABILITY
Whenever you login to a Hushmail account the inbox is opened. If you send a email
with a specially formed "from" field, which usually contains a name, you can
execute javascript, vbscript, etc. on the computer of the person who logged in.
This also works for the "topic" field.

FIX
Hushmail.com has not yet fixed this to my knowledge.

FINAL NOTES
Recently a advisory was posted on Bugtraq about a similar bug in Hotmail. This
advisory was not written because of that. I found this particular problem on
September 5th. On the same day I contacted Hushmail.com.
I sent Hushmail a simple proof of concept, because it is easy enough to make
this work I do not see the need to produce example code. You WILL have to make
some adjustments on how you send your script to make it work.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]