Full Disclosure mailing list archives
SEC Consult SA-20051202-1 :: GMX Webmail XSS
From: Sec Consult Research <research () sec-consult com>
Date: Fri, 02 Dec 2005 16:21:07 +0100
========================================================== SEC-CONSULT Security Advisory 20051202-0 GMX / MSIE XSS ========================================================== Product: GMX Webmail V ?.? in combination with MSIE (maybe other browsers) Remarks: no other Versions tested but very likely vulnerable Vulnerablities: Multiple XSS/Relogin-trojan Vendor: gmx.net Vendor-Status: first time vendor contacted (2005.12.02) Vendor-Patchs: --- Object: MSIE (unknown version - 5.*+) Exploitable: Local: --- Remote: YES Type: XSS - Cross Site Scripting ============ Introduction ============ GMX-Webmail Vulnerability #1/2005 ===================== Vulnerability Details ===================== 1) XSS / Relogin Trojan ======================= gmx.net s blacklists fail to detect script-tags in combination with SPECIAL/META-Characters. This leavas Webmail users using MSIE vulnerable to typical XSS / Relogin-trojan attacks. Vulnerable TAG/ATTRIBUTTE ========================= P/STYLE (most likely others) Malicious HTML-Mail: =================================================================================================================== P-TAG / STYLE ATTRIBUTE: ---cut here--- <html><body> <p style="background-image:url(jav[Special/Meta-Chars]ascript:[malicious/script/relogin-trojan...])">Hola Seniores ...</p> </body></html> ---cut here--- =================================================================================================================== Remark: Since the authentication tokens are stored in a second subdomain it is not possible steal them with a single XSS. It is very likely that a second XSS vulnerability within this domain could be used to achieve this goal. When users want to view HTML messages they have to confirm this by clicking on a single link. We assume that everybody would do so. =============== General remarks =============== We would like to apologize in advance for potential nonconformities and/or known issues. ====================================== Recommended hotfixes for webmail-users ====================================== Do not use MS Internet-Explorer. ================= Recommended fixes ================= Do not use blacklists on tags and attributes. Whitelist special/meta-characters. ============== Vendor-Patches ============== --- ======= Contact ======= SEC-CONSULT Austria / EUROPE research () sec-consult com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- SEC Consult SA-20051202-1 :: GMX Webmail XSS Sec Consult Research (Dec 02)