Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:10490
HistoryDec 02, 2005 - 12:00 a.m.

[Full-disclosure] SEC Consult SA-20051202-1 :: GMX Webmail XSS

2005-12-0200:00:00
vulners.com
30
JSON

==========================================================
SEC-CONSULT Security Advisory 20051202-0 GMX / MSIE XSS

Product: GMX Webmail V ?.? in combination with MSIE (maybe other browsers)
Remarks: no other Versions tested but very likely vulnerable

Vulnerablities: Multiple XSS/Relogin-trojan

Vendor: gmx.net
Vendor-Status: first time vendor contacted (2005.12.02)
Vendor-Patchs: —

Object: MSIE (unknown version - 5.*+)

Exploitable:
Local: —
Remote: YES
Type: XSS - Cross Site Scripting

============
Introduction

GMX-Webmail Vulnerability #1/2005

=====================
Vulnerability Details

1) XSS / Relogin Trojan

gmx.net s blacklists fail to detect script-tags in combination with
SPECIAL/META-Characters.
This leavas Webmail users using MSIE vulnerable to typical XSS /
Relogin-trojan attacks.

Vulnerable TAG/ATTRIBUTTE

P/STYLE (most likely others)

Malicious HTML-Mail:

P-TAG / STYLE ATTRIBUTE:

—cut here—
<html><body>
<p
style="background-image:url(jav[Special/Meta-Chars]ascript:[malicious/script/relogin-trojan…])">Hola
Seniores …</p>
</body></html>
—cut here—

Remark:

Since the authentication tokens are stored in a second subdomain it is
not possible steal them with a single
XSS. It is very likely that a second XSS vulnerability within this
domain could be used to achieve this goal.
When users want to view HTML messages they have to confirm this by
clicking on a single link. We assume that
everybody would do so.

===============
General remarks

We would like to apologize in advance for potential nonconformities
and/or known issues.

======================================
Recommended hotfixes for webmail-users

Do not use MS Internet-Explorer.

=================
Recommended fixes

Do not use blacklists on tags and attributes. Whitelist
special/meta-characters.

==============
Vendor-Patches

=======
Contact

SEC-CONSULT
Austria / EUROPE
[email protected]

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON