mailing list archives
Possible XSS on iPlanet Messaging Server
From: Hugo "Vázquez" "Caramés" <overclocking_a_la_abuela () hotmail com>
Date: 27 May 2003 13:54:40 -0000
While playing around with the webmail server (Iplanet Messaging) of my old
ISP (Terra Networks) I noticed something really strange that I could not
believe in: it was possible to do a XSS through an html attachment. In
fact, with Iplanet Messaging you can open an html attachments "online", so
the code is executed in the webmail domain context... ooops!
First I tried a script to steal the cookie, and it worked. Then I tried it
on others Iplanet installations and I could not get the cookie... :-(
I don`t exactly know how Iplanet Messaging tracks http sessions, but after
looking some of the http flow, I think it only looks for a session
id "sid" parameter.The "SID" is sent in any request in the URI request, so
it seems there's no need for any cookie... My old ISP (www.terra.es),
(Maybe Firewall-1 resource), but it's easy to trick the filtering device
(it looks inside "body" tags, but the script doesn't need those tags to be
executed),... but this is another story.
So, for Iplanet Messaging: it seems that you can execute scripts on the
webmail domain context, and an attacker can use it to steal Session ID's.
Our tests have been done on two environments, HTTP and HTTPS, both of them
How to reproduce:
All you have to do is send an attachment with the next code:
The URL in the alert box has the "sid" we are looking for.
Notice that, it's really easy to exploit this, the attacker do not need to
create a special crafted HTTP request with a stolen cookie header, he only
needs to do a "copy-paste" of the URL...
Can anyone replicate this?
Is this an Iplanet Messaging bug?
Any feedback will be appreciated,
Hugo VÃ¡zquez CaramÃ©s & Toni CortÃ©s MartÃnez
INFOHACKING RESEARCH 2003
- Possible XSS on iPlanet Messaging Server Vázquez (May 27)