SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#361600

Web-based email services filtering systems vulnerable to malicous script execution

Overview

An attacker can send a specially crafted email message to a victim containing malicious scripting (JavaScript, VBScript, JScript, etc.), or potentially HTML. When a victim views the message with scripting enabled, the victim's browser will then interpret this javascript which can lead to several impacts.

I. Description

Malicious code provided by one client for another client

Sites that provide email service with web interfaces have guarded against a vulnerability where one client embeds malicious HTML tags in a message intended for another client with in the body of a message. For example, an attacker might send an email message like

From: attacker@example.com
To: victim@example.com
Subject: Hello

Hello Victim,

This is a message.
<SCRIPT>malicious code</SCRIPT>
This is the end of my message.

When a victim with scripts enabled in their browser reads this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED>.

With client-to-client sites, developers explicitly recognize that data input is untrustworthy when it is presented to other users. Most email services either will not accept such input or will encode/filter it before sending anything to other readers.

It has recently been discovered that some sites that provide email services with web interfaces are failing to check fields outside of the message body. Hotmail, Hushmail, and MyOwnEmail are all services that have been reported vulnerable to this attack. There may be other sites that provide email service with web interfaces vulnerable to this attack. The following message would be an example of this:

From: a background=javascript:alert('test') @example.com
To: victim@example.com
Subject: Hello

Hello Victim,

This is a message.
This is the end of my message.

This vulnerability is closely related to Cross-Site Scripting. For more information on Cross-Site Scripting, see http://www.cert.org/advisories/CA-2000-02.html. Hotmail, Hushmail, and MyOwnEmail are all services that have been reported vulnerable to this attack.

II. Impact

This attack could be used to gain sensitive data such as passwords, credit card numbers, and any arbitrary information the user inputs. This may also lead to the theft of credentials.

III. Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Disable scripting in your browser.

Systems Affected

VendorStatusDate Updated
Hushmail.comVulnerable13-Sep-2001
Microsoft CorporationVulnerable13-Sep-2001
MyOwnEmail.comVulnerable13-Sep-2001

References

CA-2000-02

Credit

Hushmail has credited 1; (one-semicolon) with the discovery of this vulnerability.

This document was written by Jason Rafail.

Other Information

Date Public01/17/2002
Date First Published09/26/2001 11:14:33 AM
Date Last Updated07/31/2002
CERT Advisory 
CVE-ID(s) 
NVD-ID(s) 
US-CERT Technical Alerts 
Metric15.75
Document Revision17

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader