webmail-xss.txt

webmail-xss.txt: Posted Nov 3, 2006; Authored by Tal Argoni; The Web Mail platform by "Mirapoint" suffers from a cross site scripting flaw.; tags | advisory, web, xss; SHA-256 | 767f88cb347f5f34a1e7e4bd2604723c8f6953a24971832cb4f47ee069133dcb; Download | Favorite | View

webmail-xss.txt


·= Security Advisory =·

Issue: Cross Site Scripting (XSS) Vulnerability in Web Mail platform by 
"Mirapoint"
Discovered Date: 19/09/2006
Author: Tal Argoni, LegendaryZion. [talargoni at gmail.com]
Product Vendor: http://www.mirapoint.com/

Details:

Mirapoint Web Mail platform is prone to a Cross Site Scripting 
Vulnerability.
The vulnerability exists in filter engine, caused by the lack of Input 
Validation/Filtering
of malicious Method "Expression()" of Cascading Style Sheets (CSS).

About Cascading Style Sheets (CSS):

Cascading Style Sheets (CSS) is a stylesheet language used to describe the 
presentation
of a document written in a markup language. Its most common application is 
to style web pages written
in HTML and XHTML.
English:
http://en.wikipedia.org/wiki/Cascading_Style_Sheets


About Expression() Method:

Receive string that specifies any valid script(JScript, JavaScript, 
VBSCript)
statement without quotations or semicolons. This string can include 
references to
other properties on the current page. Array references are not allowed on 
object
properties included in this script.

<ELEMENT STYLE="AttributeName:expression(Script)">

Exploitation Mail:

...
------=_NextPart_000_0006_01C6DD9E.26B2BBD0
Content-Type: text/html;

<IMG width="0" height="0" style="width: expression(alert('expression'));">
...


Successful exploitation may allow execution of script code. This could also 
be exploited
to spoof the entire website's content, stealing cookies, stealing session 
ID,
commit Denial Of Service attacks and more...

Proof Of Concept:

<IMG style="width: expression(alert('expression'));">

google it
http://www.google.com/search?num=100&&q=intitle%3A%22Webmail+Direct%22

Israels ISP using the web mail:
015 Internet Zahav -    http://smile.msn.co.il/
014 Bezeqint -  http://www.bezeqint.net/

Around the globe:
Sigecom -   http://www.sigecom.net
BBC Worldwide -   http://www.beeb.net/
Oakland -   http://www.oakgov.com/
Bank of Shanghai -  http://www.bankofshanghai.com/
University of Delaware - http://www.udel.edu/

Thanks,
Tal Argoni, CEH
www.zion-security.com

Top Authors In Last 30 Days

Red Hat 277 files
indoushka 157 files
Jay Turla 150 files
Ubuntu 66 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Debian 22 files

File Archives

Systems

AIX (430)
Apple (2,104)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,118)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (387)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,107)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,764)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,813)
UNIX (9,453)
UnixWare (188)
Windows (6,765)
Other

webmail-xss.txt

webmail-xss.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

webmail-xss.txt

Share This

webmail-xss.txt

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems