Title: Everyone's loginName variable Cross Site Scripting Author: Simo Ben youssef aka _6mO_HaCk Published: 12 february 2006 MorX Security Research Team http://www.morx.org Service: Webmail Vendor: everyone / www.everyone.net Vulnerability: Cross Site Scripting Exploit included: Yes Details: Everyone.net is an email service provider, offering new email accounts for personal email, group email, business email and outsourced email. eveyone.net offers secure email hosting with email accounts that are fast and reliable and provides full-featured email services for over 300,000 domains. their solutions include a range of features including Web Mail, SpamShield Pro, Anti-Virus, IMAP, POP, SMTP and free domain registrations. for more information visit their website at http://www.everyone.net everyone's login perl script (loginuser.pl) is prone to cross-site scripting attacks. This problem is due to a failure in the script to properly sanitize user-supplied input when passed in variable loginName. from loginuser.htm source code after submiting ">maliciousCode as a username: maliciousCode" maxlength="100"> Impact: an attacker can exploit the vulnerable scripts to have arbitrary script code executed in the browser of an authentified everyone user in the context of the vulnerable website. resulting in the theft of cookie-based authentication giving the attacker full access to the victim's email account as well as other type of attacks. Affected script URL path: www.vulnerable-site.com/email/scripts/loginuser.pl Exploit: i ve read in a paper that cross site scripting that requires using the POST method instead of GET is not exploitable, that's false since POSTing a form doesnt necessary requires using
the above code can be placed on a web page by an attacker and have a victim visit the page. the login name value can be changed to have the cookie redirected and grabbed by the attacker Screen capture: http://www.morx.org/everyoneXSS.JPG Disclaimer: this entire document is for eductional, testing and demonstrating purpose only. Modification use and/or publishing this information is entirely on your OWN risk. The information provided in this advisory is to be used/tested on your OWN machine/Account. I cannot be held responsible for any of the above.