[NEWS] Scripting Vulnerabilities in Indian Email Providers

From: SecuriTeam (support_at_securiteam.com)
Date: 12/27/04

  • Next message: SecuriTeam: "[UNIX] Multiple XSS Vulnerabilities in WordPress" 
    To: list@securiteam.com
Date: 27 Dec 2004 17:03:44 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Scripting Vulnerabilities in Indian Email Providers
    ------------------------------------------------------------------------

    SUMMARY

    The email services of several big Indian portals are susceptible to
    scripting attacks i.e., malicious code can be embedded by attackers into
    email messages, that, when received by unsuspecting users, can cause
    harmful effects. The services are Rediffmail.com, Indiatimes.com,
    Sify.com. The combined user base of these services runs into millions and
    all of these users are vulnerable. I've known about most of these
    vulnerabilities for years now and I am now releasing them because many are
    being massively exploited in the wild. All attempts to contact the vendors
    were unfruitful.

    DETAILS

    It is possible to embed malicious scripts in an ordinary email to users of
    these services because of certain flaws in their anti-scripting filters.
    Since, these filters are not as robust as the filters used by service
    providers like Yahoo and Hotmail, many more flaws, similar to those
    detailed here, are undoubtedly present in these services. Some of the
    attacks possible through exploitation of these flaws:

    1. User names and passwords can be stolen. Spoofed login pages are one of
    the many methods to do so
    2. Web pages belonging to the portals can be spoofed, including the
    shopping cart system
    3. Any action that the legitimate user can take can also be taken by the
    malicious code. Cookies can be stolen
    4. Malicious programs can be executed when combined with browser
    vulnerabilities
    5. Force-feeding websites to users. Spammers, phishers and scammers can
    redirect users to their own pages
    6. A malicious worm can be created which can traverse through the entire
    user base and cause destruction
    7. Users can be locked out of their inboxes

    Technical details:
    Rediffmail(http://rediffmail.com)

    Rediffmail has the most robust security system among all three. However,
    it is still susceptible to several attacks -

    First vulnerability:
    Using a &#13 character as demonstrated below:
    < input
    style=background-image:url(jav&#13;ascript:alert(document.cookie))>Hello!</input>

    Second vulnerability:
    This service is also susceptible to a script insertion method previously
    found by <http://www.greymagic.com/security/advisories/gm005-mc/>
    Greymagic. This method uses the HTML+TIME feature of Internet Explorer.

    Here is an example(adapted from the Greymagic PoC):
    <? xml:namespace prefix=t ns=urn:schemas-microsoft-com:time />
    <? import namespace=t implementation=#default#time2>
    < span><t:set attributeName=innerHTML to="Nuttin <script
    defer>alert("Alert!")</script>" /></span>

    Indiatimes Mail(http://email.indiatimes.com):
    Indiatimes email does not have a scripting filter in place. This means all
    HTML tags including scripts can be embedded into the email without any
    security obstacles.

    Example:
    < script>
    location.replace("http://google.com")
    </script>

    Sify Mail(http://mail.sify.com):
    First vulnerability:
    Server side filtering code removes everything between and including the <
    script> tags in the message body.

    A newline character or a space character before the ">" in < script> and
    </script> evades filtering.
    < script >
    location.href="http://google.com"
    </script >

    Second vulnerability:
    There is no filtering in the subject line. HTML tags can also be inserted
    into the subject line of the mail which are then interpreted by the
    browser. Even <script> can be inserted.

    Interesting - Sending "<!--" in a subject line to a user can lock them out
    of their inboxes.

    Vendor status:
    Several unsuccessful attempts have been made to contact the vendors.
    Emails alerts did not receive responses.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:sgmasood@yahoo.com> S G
    Masood.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Multiple XSS Vulnerabilities in WordPress"

    Relevant Pages