While playing around with the webmail server (Iplanet Messaging) of my old 
ISP (Terra Networks) I noticed something really strange that I could not 
believe in: it was possible to do a XSS through an html attachment. In 
fact, with Iplanet Messaging you can open an html attachments "online", so 
the code is executed in the webmail domain context...  ooops!

First I tried a script to steal the cookie, and it worked. Then I tried it 
on others Iplanet installations and I could not get the cookie... :-(

I don`t exactly know how Iplanet Messaging tracks http sessions, but after 
looking some of the http flow, I think it only looks for a session 
id "sid" parameter.The "SID" is sent in any request in the URI request, so 
it seems there's no need for any cookie... My old ISP (www.terra.es), 
seems to be using although cookies, and some kind of javascript filtering 
(Maybe Firewall-1 resource), but it's easy to trick the filtering device 
(it looks inside "body" tags, but the script doesn't need those tags to be 
executed),... but this is another story.

So, for Iplanet Messaging: it seems that you can execute scripts on the 
webmail domain context, and an attacker can use it to steal Session ID's. 
Our tests have been done on two environments, HTTP and HTTPS, both of them 
successfully exploited.

How to reproduce:

All you have to do is send an attachment with the next code:

<html>
&lt;script&gt;alert(document.URL)&lt;/script&gt;
</html>

The URL in the alert box has the "sid" we are looking for.
Notice that, it's really easy to exploit this, the attacker do not need to 
create a special crafted HTTP request with a stolen cookie header, he only 
needs to do a "copy-paste" of the URL...

Can anyone replicate this?
Is this an Iplanet Messaging bug?

Any feedback will be appreciated,

Sincerely,

Hugo Vázquez Caramés & Toni Cortés Martínez
INFOHACKING RESEARCH 2003
http://www.infohacking.com
Barcelona
Spain