Product: GMX Webmail V ?.? in combination with MSIE (maybe other browsers)
Remarks: no other Versions tested but very likely vulnerable
Vulnerablities: Multiple XSS/Relogin-trojan
Vendor: gmx.net
Vendor-Status: first time vendor contacted (2005.12.02)
Vendor-Patchs: —
Object: MSIE (unknown version - 5.*+)
Exploitable:
Local: —
Remote: YES
Type: XSS - Cross Site Scripting
GMX-Webmail Vulnerability #1/2005
gmx.net s blacklists fail to detect script-tags in combination with
SPECIAL/META-Characters.
This leavas Webmail users using MSIE vulnerable to typical XSS /
Relogin-trojan attacks.
P/STYLE (most likely others)
P-TAG / STYLE ATTRIBUTE:
Remark:
Since the authentication tokens are stored in a second subdomain it is
not possible steal them with a single
XSS. It is very likely that a second XSS vulnerability within this
domain could be used to achieve this goal.
When users want to view HTML messages they have to confirm this by
clicking on a single link. We assume that
everybody would do so.
We would like to apologize in advance for potential nonconformities
and/or known issues.
Do not use MS Internet-Explorer.
Do not use blacklists on tags and attributes. Whitelist
special/meta-characters.
SEC-CONSULT
Austria / EUROPE
[email protected]
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/