SkipNavigation
Home | FAQ | Contact | Privacy Policy
US-CERT
American Flag
  Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information


 
 View Notes By
  Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric
 Other Documents
  Technical Alerts

Technical Bulletins

Alerts

Security Tips
 

Vulnerability Note VU#476267

Standard HTML form implementation allows access to IMAP, SMTP, NNTP, POP3, and other services via crafted HTML page

Overview

An intruder can send certain kinds of data to services that he is not ordinarily able to reach. By crafting the data such that it is redirected through any program the victim uses to render the malicious HTML, the intruder is able send that data to any services that the victim can send data to. The malicious HTML can be embedded in documents such as an email message, web page, rich-text log or newsgroup posting.

I. Description

An intruder can send certain kinds of data to services that he is not ordinarily able to reach. By crafting the data such that it is redirected through any program the victim uses to render the malicious HTML, the intruder is able send that data to any services that the victim can send data to. If the victim is either tricked into clicking on a form submission button or a JavaScript program submits the form on behalf of the victim, the intruder's data may be sent to the service specified. Since the connection originates from the victim, any access control lists or restrictions designed to protect the server (such as a firewall) may not be effective. The data that the intruder is able to send is usually encoded as "multipart/form-data" by the browser, which necessarily inserts some header and encoding metadata, and is subject to any limitations of the protocol it attempts to attack.

This vulnerability has been called "cross-protocol scripting."

II. Impact

An intruder may be able to use this vulnerability to send mail (Spam), post News, get or send files from or to an FTP server, or send data to an HTTP server. It may even be possible to exploit a vulnerability in one of these services through this problem, though we are not certain of that at this time. For example, an intruder may be able to exploit this problem as a means of attacking a vulnerable web server that would ordinarily be protected by a firewall. Additionally, it may be possible for an intruder to cause denial-of-service conditions within the network by sending unexpected data to network services. This unexpected data may crash or hang the services receiving the data.

III. Solution

Upgrade your application according to your manufacturer's recommendations, if any. Additionally, do not rely solely on firewalls to provide a guarantee that an intruder can not reach a service. Keep internal systems up to date with respect to patches and workarounds.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Unknown15-Aug-2001
Berkeley Software Design, Inc.Unknown15-Aug-2001
Cray Inc.Unknown17-Aug-2001
DeCUnknown15-Aug-2001
FreeBSD, Inc.Not Vulnerable17-Aug-2001
FujitsuUnknown17-Aug-2001
Hewlett-Packard CompanyUnknown15-Aug-2001
Microsoft CorporationVulnerable16-Aug-2001
MiT Kerberos Development TeamUnknown15-Aug-2001
MozillaUnknown4-Feb-2008
NEC CorporationUnknown15-Aug-2001
NetBSDUnknown17-Aug-2001
Netscape Communications CorporationVulnerable16-Aug-2001
OpenBSDUnknown15-Aug-2001
Red Hat, Inc.Unknown15-Aug-2001
Sequent Computer Systems, Inc.Unknown15-Aug-2001
SGIUnknown15-Aug-2001
Siemens NixdorfUnknown15-Aug-2001
Sony CorporationUnknown15-Aug-2001
Sun Microsystems, Inc.Unknown15-Aug-2001
The SCO Group (SCO Linux)Vulnerable20-Aug-2001

References


http://www.remote.org/jochen/sec/hfpa/index.html
http://www.securityfocus.com/bid/3181
http://eyeonsecurity.org/papers/Extended%20HTML%20Form%20Attack.htm
http://www.mozilla.org/projects/netlib/PortBanning.html
http://ha.ckers.org/blog/20060920/imap-vulnerable-to-xss/
http://www.ngssoftware.com/research/papers/InterProtocolExploitation.pdf
http://www.gnucitizen.org/blog/hacking-the-interwebs
http://aaron.weaver2.googlepages.com/CrossSitePrinting.pdf
http://ilia.ws/archives/145-Network-Scanning-with-HTTP-without-JavaScript.html

Credit

The CERT/CC thanks Jochen Topf <jochen@remote.org> for reporting this vulnerability. We would also like to thank Wietse Venema and Steve Bellovin for their assistance in understanding this vulnerability. Additionally Wietse Venema coined the name "cross-protocol scripting."

This document was written by Ian A. Finlay and Shawn V. Hernan.

Other Information

Date Public:2001-08-15
Date First Published:2001-08-16
Date Last Updated:2008-02-04
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:15.00
Document Revision:49

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

 
Page Corner Image
Copyright 2001 Carnegie Mellon University
Disclaimers and copyright information
Get Adobe Reader Get Adobe Reader