Vulnerability Note VU#476267

Standard HTML form implementation allows access to IMAP, SMTP, NNTP, POP3, and other services via crafted HTML page

Original Release date: 16 Aug 2001 | Last revised: 04 Feb 2008

Overview

An intruder can send certain kinds of data to services that he is not ordinarily able to reach. By crafting the data such that it is redirected through any program the victim uses to render the malicious HTML, the intruder is able send that data to any services that the victim can send data to. The malicious HTML can be embedded in documents such as an email message, web page, rich-text log or newsgroup posting.

Description

An intruder can send certain kinds of data to services that he is not ordinarily able to reach. By crafting the data such that it is redirected through any program the victim uses to render the malicious HTML, the intruder is able send that data to any services that the victim can send data to. If the victim is either tricked into clicking on a form submission button or a JavaScript program submits the form on behalf of the victim, the intruder's data may be sent to the service specified. Since the connection originates from the victim, any access control lists or restrictions designed to protect the server (such as a firewall) may not be effective. The data that the intruder is able to send is usually encoded as "multipart/form-data" by the browser, which necessarily inserts some header and encoding metadata, and is subject to any limitations of the protocol it attempts to attack.

This vulnerability has been called "cross-protocol scripting."

Impact

An intruder may be able to use this vulnerability to send mail (Spam), post News, get or send files from or to an FTP server, or send data to an HTTP server. It may even be possible to exploit a vulnerability in one of these services through this problem, though we are not certain of that at this time. For example, an intruder may be able to exploit this problem as a means of attacking a vulnerable web server that would ordinarily be protected by a firewall. Additionally, it may be possible for an intruder to cause denial-of-service conditions within the network by sending unexpected data to network services. This unexpected data may crash or hang the services receiving the data.

Solution

Upgrade your application according to your manufacturer's recommendations, if any. Additionally, do not rely solely on firewalls to provide a guarantee that an intruder can not reach a service. Keep internal systems up to date with respect to patches and workarounds.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected03 Aug 200116 Aug 2001
Netscape Communications CorporationAffected03 Aug 200116 Aug 2001
The SCO Group (SCO Linux)Affected03 Aug 200120 Aug 2001
FreeBSD, Inc.Not Affected03 Aug 200117 Aug 2001
Apple Computer, Inc.Unknown03 Aug 200115 Aug 2001
Berkeley Software Design, Inc.Unknown03 Aug 200115 Aug 2001
Cray Inc.Unknown03 Aug 200117 Aug 2001
DeCUnknown03 Aug 200115 Aug 2001
FujitsuUnknown03 Aug 200117 Aug 2001
Hewlett-Packard CompanyUnknown03 Aug 200115 Aug 2001
MiT Kerberos Development TeamUnknown03 Aug 200115 Aug 2001
MozillaUnknown-04 Feb 2008
NEC CorporationUnknown03 Aug 200115 Aug 2001
NetBSDUnknown03 Aug 200117 Aug 2001
OpenBSDUnknown03 Aug 200115 Aug 2001
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

The CERT/CC thanks Jochen Topf <jochen@remote.org> for reporting this vulnerability. We would also like to thank Wietse Venema and Steve Bellovin for their assistance in understanding this vulnerability. Additionally Wietse Venema coined the name "cross-protocol scripting."

This document was written by Ian A. Finlay and Shawn V. Hernan.

Other Information

  • CVE IDs: Unknown
  • Date Public: 15 Aug 2001
  • Date First Published: 16 Aug 2001
  • Date Last Updated: 04 Feb 2008
  • Severity Metric: 15.00
  • Document Revision: 49

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.