SEC-CONSULT Security Advisory 20051202-0 GMX / MSIE XSS

==========================================================

SEC-CONSULT Security Advisory 20051202-0 GMX / MSIE XSS

==========================================================

 

Product: GMX Webmail V ?.? in combination with MSIE (maybe other browsers)

Remarks: no other Versions tested but very likely vulnerable

 

Vulnerablities: Multiple XSS/Relogin-trojan

 

Vendor: gmx.net

Vendor-Status: first time vendor contacted (2005.12.02)

Vendor-Patchs: ---

 

Object: MSIE (unknown version - 5.*+)

 

Exploitable:

Local: ---

Remote: YES

Type: XSS - Cross Site Scripting

 

============

Introduction

============

 

GMX-Webmail Vulnerability #1/2005

 

=====================

Vulnerability Details

=====================

 

 

1) XSS / Relogin Trojan

=======================

 

gmx.net s blacklists fail to detect script-tags in combination with SPECIAL/META-Characters.

This leavas Webmail users using MSIE vulnerable to typical XSS / Relogin-trojan attacks.

 

Vulnerable TAG/ATTRIBUTTE

=========================

 

P/STYLE (most likely others)

 

Malicious HTML-Mail:

===================================================================================================================
P-TAG / STYLE ATTRIBUTE:

---cut here---
<html><body>
<p style="background-image:url(jav[Special/Meta-Chars]ascript:[malicious/script/relogin-trojan...])">Hola Seniores ...</p>
</body></html>
---cut here---
===================================================================================================================

 

Remark:

 

Since the authentication tokens are stored in a second subdomain it is not possible steal them with a single

XSS. It is very likely that a second XSS vulnerability within this domain could be used to achieve this goal.

When users want to view HTML messages they have to confirm this by clicking on a single link. We assume that

everybody would do so.

 

===============

General remarks

===============

 

We would like to apologize in advance for potential nonconformities and/or known issues.

 

======================================

Recommended hotfixes for webmail-users

======================================

 

Do not use MS Internet-Explorer.

 

=================

Recommended fixes

=================

 

Do not use blacklists on tags and attributes. Whitelist special/meta-characters.

 

==============

Vendor-Patches

==============

 

---

 

=======

Contact

=======

 

SEC-CONSULT

Austria / EUROPE

research@sec-consult.com