Tlen.PL e-mail XSS vulnerability.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Tlen.PL e-mail XSS vulnerability.
From: koper@xxxxxxx
Date: 15 Apr 2006 22:51:56 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

As written in: http://security.pass.pl/adv/160406_XSS_tlen_pl.txt

::File: 060416_XSS_tlen_pl
::Date: 16 Feb 2006
::Author: Tomasz Koperski <koper@xxxxxxx>
::URL: http://security.pass.pl



::1::Overview::
Tlen.PL e-mail system is affected to cross-site scripting vulnerability, not 
validating HTML tags in e-mail message subject. 



::2::Description::
Tlen.PL is a popular Polish IM system provided by o2.pl, which includes e-mail 
accounts, and e-mail client built into the 
communicator software (under Windows it is actualy an instance of Internet 
Explorer, displaying webmail system). 
Depending on the server 'assigned' to the account (varying probably by the date 
of registration), webmail client does 
not validate e-mail subject for HTML tags, allowing attacker to inject script 
code.
The vulnerable server is accessed by default with Tlen.pl IM client (by older 
accounts).
The vulnerable server does not provide webmail services through default web 
browser access
(using for ex.:  http://poczta.o2.pl, http://mail.tlen.pl), yet it is still 
accessible under http://beta.mini.tlen.pl 
and used inside Tlen.pl IM client.
On the account tested (login: koper, served by beta.mini.tlen.pl, 193.17.41.32, 
registered over 5 years ago), the lenght of 
subject displayed is 28 characters, which is the lenght an attacker can use to 
inject HTML.



::3::Impact::
An attacker could include some of this code inside the subject field of e-mail 
sent to the target account:

<iframe src="http://pass.pl"; 

//(28 chars, no HTML ending bracket, still http://pass.pl page is displayed 
inside <iframe>,
//giving an attacker the ability to include more code. Having shorter domain 
name allows an
//attacker to give valid <iframe> tag.


<script>alert("xx")</script> 

//Displays 2 chars alert window  

etc.



::4::Solution::
None provided, Vendor contacted on 16 Feb 2006.



::6::Systems affected::
All Tlen.pl Communicator versions, but not all accounts affected.
Servers checked to be vulnerable: beta.mini.tlen.pl [ 193.17.41.32 ].
Servers checked NOT to be vulnerable: mini10.tlen.pl [ 193.17.41.92 ].

Prev by Date: Re: [Full-disclosure] Microsoft DNS resolver: deliberately sabotagedhosts-file lookup
Next by Date: RE: redirection vuln crawlers breed & security through obscurity
Previous by thread: WWWThread RC 3 MultBugs
Next by thread: EasyGallery Cross-Site Scripting
Index(es):
- Date
- Thread