While playing around with the webmail server (Iplanet Messaging) of my old ISP (Terra Networks) I noticed something really strange that I could not believe in: it was possible to do a XSS through an html attachment. In fact, with Iplanet Messaging you can open an html attachments "online", so the code is executed in the webmail domain context... ooops! First I tried a script to steal the cookie, and it worked. Then I tried it on others Iplanet installations and I could not get the cookie... :-( I don`t exactly know how Iplanet Messaging tracks http sessions, but after looking some of the http flow, I think it only looks for a session id "sid" parameter.The "SID" is sent in any request in the URI request, so it seems there's no need for any cookie... My old ISP (www.terra.es), seems to be using although cookies, and some kind of javascript filtering (Maybe Firewall-1 resource), but it's easy to trick the filtering device (it looks inside "body" tags, but the script doesn't need those tags to be executed),... but this is another story. So, for Iplanet Messaging: it seems that you can execute scripts on the webmail domain context, and an attacker can use it to steal Session ID's. Our tests have been done on two environments, HTTP and HTTPS, both of them successfully exploited. How to reproduce: All you have to do is send an attachment with the next code: <html> <script>alert(document.URL)</script> </html> The URL in the alert box has the "sid" we are looking for. Notice that, it's really easy to exploit this, the attacker do not need to create a special crafted HTTP request with a stolen cookie header, he only needs to do a "copy-paste" of the URL... Can anyone replicate this? Is this an Iplanet Messaging bug? Any feedback will be appreciated, Sincerely, Hugo Vázquez Caramés & Toni Cortés Martínez INFOHACKING RESEARCH 2003 http://www.infohacking.com Barcelona Spain
