Insufficient input checking on web site allows dangerous HTML TAGS
Systems: LightSurf(tm) Content Delivery system;
         Sprint Picture Mail(sm) web site
Severity: Serious 
Category: Arbitrary Execution of HTML of Hackers Choice
Classification: Input Validation Error 
BugTraq-ID: TBA
Remote Exploit: yes 
Local Exploit: yes
Vendor URL: pictures.sprintpcs.com, www.lightsurf.com
Author: Michael S. Scheidell, SECNAP Network Security 
Notifications: Sprint Corporate Security Notified on July 11, 2003
Vendor Response: Sprint Security responded on July 11th.  They were able
to reproduce the problem and worked immediately with LightSurf to fix the
problem and rollout fixes.

Discussion: 
(From SprintPCS Web site) 
View Picture Mail(SM)
Share it when it happens: Surprise your family with daily baby pictures...
share vacation shots instantly...create a mobile photo album...send a
wireless postcard

(From Lightsurf(tm) Web site)
Lightsurf is the leading provider of MMS Services, Picture-Messaging, and
Premium Content Delivery.

Problem: 
Arbitrary input allows user and viewer to input dangerous html tags and
scripts into text fields.

1) viewer could input arbitrary script in share comments.
2) User could input arbitrary scripts in body of share message. When a
Sprint PCS user takes a picture then sends an email from the phone, the
system sends a URL of their photo on the Picture Mail server to a friend.
In the web site referred to by this email, the visitor can add comments.
This comment input allows arbitrary and dangerous HTML tags, javascript
and vbscript to be embedded in the comments. The next visitor to the
specific URL will have this arbitrary HTML executed on their computer. 

This can allow a hacker to run arbitrary code of the hackers choice on the
users computer. This includes remote Trojans, IRC zombies, spyware,
malware, remote key loggers, or any program a hackers (Mike: delete the s)
wants to. This program will be running inside the corporate network,
behind the firewall and access anything the infected user has access to. 

Exploit: An example was provided to Sprint PCS  Security and LightSurf.
We are not distributing any specific url in public as this would invade
the privacy of original sender. Users of Sprint PCS  may send themselves a
picture and in the comments section enter something like
this:<script>window.open("http://www.secnap.com/","OWAFUNIHAD");</script>

To see an exhaustive list of what can happen when unbounded HTML is passed
to IE, see <http://www.guninski.com/browsers.html> 

Solution: Vendor has modified the display routines to output verbatim the
input as text (without allowing html execution).  If you are using
LightSurf product contact them to make sure you have the latest build.

Workaround: None needed, Sprint has fixed the problem. To protect yourself
from vbscript, Active-X you can turn off javascript and Active-X execution
in Tools >> Internet Options >> Security and edit options in Internet Zone

Credit: 
Problem found by Michael Scheidell, SECNAP Network Security vulnerability
research team.

The original problem with Microsoft IE found by George Guninski and
involved insecure default reading of a malformed HTML Email in Outlook and
OE and insecure running of HTML (see
<http://www.guninski.com/browsers.html>).

Special thanks to the Sprint Security Team for verifying the problem and
to LightSurf for their rapid response.

Original copy of this report can be found here 
<http://www.secnap.net/security/030711.html> 

Copyright: 
Above Copyright(c) 2003, SECNAP Network Security, LLC. World rights
reserved. 

This security report can be copied and redistributed electronically
provided it is not edited and is quoted in its entirety without written
consent of SECNAP Network Security, LLC. Additional information or
permission may be obtained by contacting SECNAP Network Security at
561-368-9561