Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:361600
HistorySep 26, 2001 - 12:00 a.m.

Web-based email services filtering systems vulnerable to malicous script execution

2001-09-2600:00:00
www.kb.cert.org
8

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.005 Low

EPSS

Percentile

75.4%

JSON

Overview

An attacker can send a specially crafted email message to a victim containing malicious scripting (JavaScript, VBScript, JScript, etc.), or potentially HTML. When a victim views the message with scripting enabled, the victim’s browser will then interpret this javascript which can lead to several impacts.

Description

Malicious code provided by one client for another client

Sites that provide email service with web interfaces have guarded against a vulnerability where one client embeds malicious HTML tags in a message intended for another client with in the body of a message. For example, an attacker might send an email message like

From: [email protected]
To: [email protected]
Subject: Hello

Hello Victim,

This is a message.
<SCRIPT>malicious code</SCRIPT>
This is the end of my message.

When a victim with scripts enabled in their browser reads this message, the malicious code may be executed unexpectedly. Scripting tags that can be embedded in this way include <SCRIPT>, <OBJECT>, <APPLET>, and <EMBED>.

With client-to-client sites, developers explicitly recognize that data input is untrustworthy when it is presented to other users. Most email services either will not accept such input or will encode/filter it before sending anything to other readers.

It has recently been discovered that some sites that provide email services with web interfaces are failing to check fields outside of the message body. Hotmail, Hushmail, and MyOwnEmail are all services that have been reported vulnerable to this attack. There may be other sites that provide email service with web interfaces vulnerable to this attack. The following message would be an example of this:

From: a background=javascript:alert(‘test’) @example.com
To: [email protected]
Subject: Hello

Hello Victim,

This is a message.
This is the end of my message.

This vulnerability is closely related to Cross-Site Scripting. For more information on Cross-Site Scripting, see <http://www.cert.org/advisories/CA-2000-02.html&gt;. Hotmail, Hushmail, and MyOwnEmail are all services that have been reported vulnerable to this attack.

Impact

This attack could be used to gain sensitive data such as passwords, credit card numbers, and any arbitrary information the user inputs. This may also lead to the theft of credentials.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Disable scripting in your browser.

Vendor Information

361600

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Hushmail.com __ Affected

Updated: September 13, 2001

Status

Affected

Vendor Statement

The vulnerability has been fixed. We have no record of a notification on September 5th, or we certainly would have fixed this earlier. It was a very straightforward issue involving a failure to use the htmlspecialchars() PHP function in that area of the code. It is our general practice to always use this method when displaying information using PHP in order to avoid such scripting vulnerabilities, and we regret the unfortunate oversight.

Many thanks to 1; and everyone else who has helped us keep HushMail secure in the past.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23361600 Feedback>).

Microsoft Corporation __ Affected

Updated: September 13, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Hotmail.com is owned Microsoft.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23361600 Feedback>).

MyOwnEmail.com Affected

Updated: September 13, 2001

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23361600 Feedback>).

CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Hushmail has credited 1; (one-semicolon) with the discovery of this vulnerability.

This document was written by Jason Rafail.

Other Information

CVE IDs: CVE-2001-0223
Severity Metric: 15.75 Date Public:

Related

nvd 1
cvelist 1
nessus 1
cve 1
nvd
nvd
CVE-2001-0223
2001-03-26 05:00:00
cvelist
cvelist
CVE-2001-0223
2001-03-09 05:00:00
nessus
nessus
wwwwais QUERY_STRING Parameter Remote Overflow
2001-01-19 00:00:00
cve
cve
CVE-2001-0223
2001-03-26 05:00:00

10 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

0.005 Low

EPSS

Percentile

75.4%

JSON
Related for VU:361600
nvd1cvelist1nessus1cve1