SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Netscape Vendors:   America Online, Inc.
Netscape Web Mail 'msglist.adp' Input Validation Hole Lets Remote Users Conduct Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1011792
SecurityTracker URL:  http://securitytracker.com/id/1011792
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Oct 20 2004
Original Entry Date:  Oct 20 2004
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  

Description:   Steven from lovebug.org reported an input validation vulnerability in Netscape's web mail system. A remote user can conduct cross-site scripting attacks.

The report notes that the same vulnerability was previously identified in a paper by David Endler [then of iDEFENSE] in May 2002.

The 'msglist.adp' script does not properly filter HTML code from user-supplied input in the 'folder' parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Netscape web mail site running the vulnerable software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

http://[target]/msglist.adp?folder=<script>alert()</script>=&start=1&cmd=deletemsgs

The target user must be logged in to the web mail system for the exploit to work.

The original advisory is available at:

http://www.lovebug.org/netscapewebmail_adivsory.txt

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the Netscape web mail site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.netscape.net/ (Links to External Site)
Cause:   Input validation error

Message History:   None.


 Source Message Contents

Subject:  Netscape Webmail Cross Site Scripting Vulnerability


Date:             October 20, 2004
Vendor:           America Online Inc. | Netscape
Product/Service:  Netscape (.net) Webmail
Issue:            Cross Site Scripting Vulnerability In Webmail
URL:              http://ncmail.netscape.net
Advisory URL:     http://www.lovebug.org/netscapewebmail_adivsory.txt

Note: While I found these vulnerabilities independently, all credit goes to
iDefense as upon searching I found that this scripting error has previously
been mentioned (sometime ago at that) in a white paper written by iDefense.
This white paper is available at: http://www.cgisecurity.com/lib/XSS.pdf -
However, it appears it is possible the vendor has never been notified and
that this is not a widely published vulnerability.  Since this affects the
largest ISP in the world, it might be worth publishing on a larger scale.


Service Overview:

America Online (AOL) is the world's largest Internet Service Provider.  They
provide many special online services and features that are only available to
its dialup and high speed add-on subscribers.  AOL owns many other companies
to include Netscape, which also contains the same scripting error in its
webmail client.

Exploitation:

A user can craft a URL that when viewed will conduct a Cross Site Scripting
attack.  One impact of this attack is that it can give the attacker access
to the users cookies.  The flaw lies within msglist.adp?folder=<SCRIPTING>

An example url is as follows:
http://ncmail.netscape.com/msglist.adp?folder=<script>alert()</script>=&start=1&cmd=deletemsgs

Note: A user MUST be logged into webmail for this attack to work.
NETSCAPE's webmail is accessible and vulnerable to anyone with an AOL
related screen name.  This can be an AOL member, AIM user, or netscape.net
user.

Solutions:

The script could simply filter and replace special characters or validate
user input so scripts cannot be executed.


Vendor Response:

All previous attempts to alert this vendor to other vulnerabilties,
exploits, and holes have proven to be futile.  This error has not been
reported to the vendor for that reason.  If this vendor would like to be
notified of future bugs (which there already are) in order to work on a
solution prior to disclosure, they can contact me at: steven@lovebug.org

Credits:

iDefense - and credits go to Link Linkovich for also mentioning and
describing problems with Groups@AOL
---------------------------


Questions/Comments/Other?  Drop me a line.  Go Hokies! :D


-Steven
steven@lovebug.org
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC