Vulnerability Note VU#707100

Multiple web-based email services fail to filter malicious characters when the message contains cascading style sheet character escaping

Original Release date: 10 Dec 2003 | Last revised: 10 Dec 2003

Overview

An attacker can send a specially crafted email message to a victim containing malicious scripting (JavaScript, VBScript, JScript, etc.), active content, or potentially HTML. When a victim views the message with scripting enabled, the victim's browser will then interpret this javascript which can lead to several impacts.

Description

Malicious code provided by one client for another client

Sites that provide email service with web interfaces have guarded against a vulnerability where one client embeds malicious HTML tags in a message intended for another client with in the body of a message. For example, an attacker might send an email message like

    From: attacker@example.com
    To: victim@example.com
    Subject: Hello

    Hello Victim,

    This is a message.
    <SCRIPT>malicious code</SCRIPT>
    This is the end of my message.

When a victim with scripts enabled in their browser reads this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED>.

With client-to-client sites, developers explicitly recognize that data input is untrustworthy when it is presented to other users. Most email services either will not accept such input or will encode/filter it before sending anything to other readers.

It has recently been discovered that some sites that provide email services with web interfaces are failing to check for tags that have been encoded in the message body. The following message would be an example of this:
    From: attacker@example.com
    To: victim@example.com
    Subject: Hello

    Hello Victim,

    This is a message.
    <\73CRIP\T>malicious code<\/\73CRIP\T>
    This is the end of my message.

Note that the email message does not need to originate from the same domain. This vulnerability is closely related to Cross-Site Scripting. For more information on Cross-Site Scripting, see http://www.cert.org/advisories/CA-2000-02.html. Yahoo!, Excite, and Outblaze (Mail.com) are all services that have been reported vulnerable to this attack. Hotmail and Lycos Mail are reported to be not vulnerable.

Impact

Malicious scripting, HTML and Active Content can be executed in the victim's browser. This attack could be used to gain sensitive data such as passwords, credit card numbers, address book entries and any arbitrary information the user inputs. This may also lead to the theft of credentials.

Solution

Please review the Systems Affected section to determine if your vendor is vulnerable, and whether they have taken any action to remedy this vulnerability.

Do not open messages that you feel may contain untrustworthy content. Even if the message originates from a known person. Also, you can set your browser's security settings to disable scripting and active content. This will limit, but not mitigate the attack vectors for this vulnerability, but will also decrease the functionality of your service.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
ExciteAffected-10 Dec 2003
OutblazeAffected-14 Nov 2003
Yahoo! Inc.Affected-14 Nov 2003
Lycos Inc.Not Affected-14 Nov 2003
Microsoft CorporationNot Affected-14 Nov 2003
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Finjan Software for reporting this vulnerability.

This document was written by Jason A Rafail.

Other Information

  • CVE IDs: Unknown
  • Date Public: 10 Dec 2003
  • Date First Published: 10 Dec 2003
  • Date Last Updated: 10 Dec 2003
  • Severity Metric: 3.96
  • Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.