Tlen.PL e-mail XSS vulnerability.



As written in: http://security.pass.pl/adv/160406_XSS_tlen_pl.txt

::File: 060416_XSS_tlen_pl
::Date: 16 Feb 2006
::Author: Tomasz Koperski <koper@xxxxxxx>
::URL: http://security.pass.pl



::1::Overview::
Tlen.PL e-mail system is affected to cross-site scripting vulnerability, not validating HTML tags in e-mail message subject.



::2::Description::
Tlen.PL is a popular Polish IM system provided by o2.pl, which includes e-mail accounts, and e-mail client built into the
communicator software (under Windows it is actualy an instance of Internet Explorer, displaying webmail system).
Depending on the server 'assigned' to the account (varying probably by the date of registration), webmail client does
not validate e-mail subject for HTML tags, allowing attacker to inject script code.
The vulnerable server is accessed by default with Tlen.pl IM client (by older accounts).
The vulnerable server does not provide webmail services through default web browser access
(using for ex.: http://poczta.o2.pl, http://mail.tlen.pl), yet it is still accessible under http://beta.mini.tlen.pl
and used inside Tlen.pl IM client.
On the account tested (login: koper, served by beta.mini.tlen.pl, 193.17.41.32, registered over 5 years ago), the lenght of
subject displayed is 28 characters, which is the lenght an attacker can use to inject HTML.



::3::Impact::
An attacker could include some of this code inside the subject field of e-mail sent to the target account:

<iframe src="http://pass.pl";

//(28 chars, no HTML ending bracket, still http://pass.pl page is displayed inside <iframe>,
//giving an attacker the ability to include more code. Having shorter domain name allows an
//attacker to give valid <iframe> tag.


<script>alert("xx")</script>

//Displays 2 chars alert window

etc.



::4::Solution::
None provided, Vendor contacted on 16 Feb 2006.



::6::Systems affected::
All Tlen.pl Communicator versions, but not all accounts affected.
Servers checked to be vulnerable: beta.mini.tlen.pl [ 193.17.41.32 ].
Servers checked NOT to be vulnerable: mini10.tlen.pl [ 193.17.41.92 ].



Relevant Pages

  • [Full-disclosure] SEC Consult SA-20120220-0 :: Multiple critical vulnerabilities in VOXT
    ... SEC Consult Vulnerability Lab Security Advisory ... The "get.php" functionality of the web interface of voxlog professional ... An attacker gains access to all stored sensitive voice recordings ... Weak default accounts for OS and web interface ...
    (Full-Disclosure)
  • SEC Consult SA-20120220-0 :: Multiple critical vulnerabilities in VOXTRONIC voxlog professio
    ... SEC Consult Vulnerability Lab Security Advisory ... The "get.php" functionality of the web interface of voxlog professional ... An attacker gains access to all stored sensitive voice recordings ... Weak default accounts for OS and web interface ...
    (Bugtraq)
  • Sitecom WLM-3500 backdoor accounts
    ... Advisory URL: http://blog.emaze.net/2013/04/sitecom-wlm-3500-backdoor-accounts.html ... We confirm the presence of the security vulnerability on the following ... These hard-coded accounts are persistently stored inside the device firmware ...
    (Bugtraq)
  • Re: spyware/malware and linux?
    ... > How vulnerable is Linux to spyware, malware, trojans, etc. compared to ... > much about linux security or vulnerability, ... a pristine browser setup. ... All browser accounts have bogas email addresses. ...
    (comp.os.linux.security)
  • RE: [Full-Disclosure] Microsoft and Security
    ... Should not someone in authority of this public company ... > accounts, have their home pages reset, we'll fix it when it ... > A vulnerability: ... Does it fit into the gibberish custom ...
    (Full-Disclosure)