|
Insufficient input checking on web site allows dangerous HTML TAGS Systems: LightSurf(tm) Content Delivery system; Sprint Picture Mail(sm) web site Severity: Serious Category: Arbitrary Execution of HTML of Hackers Choice Classification: Input Validation Error BugTraq-ID: TBA Remote Exploit: yes Local Exploit: yes Vendor URL: pictures.sprintpcs.com, www.lightsurf.com Author: Michael S. Scheidell, SECNAP Network Security Notifications: Sprint Corporate Security Notified on July 11, 2003 Vendor Response: Sprint Security responded on July 11th. They were able to reproduce the problem and worked immediately with LightSurf to fix the problem and rollout fixes. Discussion: (From SprintPCS Web site) View Picture Mail(SM) Share it when it happens: Surprise your family with daily baby pictures... share vacation shots instantly...create a mobile photo album...send a wireless postcard (From Lightsurf(tm) Web site) Lightsurf is the leading provider of MMS Services, Picture-Messaging, and Premium Content Delivery. Problem: Arbitrary input allows user and viewer to input dangerous html tags and scripts into text fields. 1) viewer could input arbitrary script in share comments. 2) User could input arbitrary scripts in body of share message. When a Sprint PCS user takes a picture then sends an email from the phone, the system sends a URL of their photo on the Picture Mail server to a friend. In the web site referred to by this email, the visitor can add comments. This comment input allows arbitrary and dangerous HTML tags, javascript and vbscript to be embedded in the comments. The next visitor to the specific URL will have this arbitrary HTML executed on their computer. This can allow a hacker to run arbitrary code of the hackers choice on the users computer. This includes remote Trojans, IRC zombies, spyware, malware, remote key loggers, or any program a hackers (Mike: delete the s) wants to. This program will be running inside the corporate network, behind the firewall and access anything the infected user has access to. Exploit: An example was provided to Sprint PCS Security and LightSurf. We are not distributing any specific url in public as this would invade the privacy of original sender. Users of Sprint PCS may send themselves a picture and in the comments section enter something like this:<script>window.open("http://www.secnap.com/","OWAFUNIHAD");</script> To see an exhaustive list of what can happen when unbounded HTML is passed to IE, see <http://www.guninski.com/browsers.html> Solution: Vendor has modified the display routines to output verbatim the input as text (without allowing html execution). If you are using LightSurf product contact them to make sure you have the latest build. Workaround: None needed, Sprint has fixed the problem. To protect yourself from vbscript, Active-X you can turn off javascript and Active-X execution in Tools >> Internet Options >> Security and edit options in Internet Zone Credit: Problem found by Michael Scheidell, SECNAP Network Security vulnerability research team. The original problem with Microsoft IE found by George Guninski and involved insecure default reading of a malformed HTML Email in Outlook and OE and insecure running of HTML (see <http://www.guninski.com/browsers.html>). Special thanks to the Sprint Security Team for verifying the problem and to LightSurf for their rapid response. Original copy of this report can be found here <http://www.secnap.net/security/030711.html> Copyright: Above Copyright(c) 2003, SECNAP Network Security, LLC. World rights reserved. This security report can be copied and redistributed electronically provided it is not edited and is quoted in its entirety without written consent of SECNAP Network Security, LLC. Additional information or permission may be obtained by contacting SECNAP Network Security at 561-368-9561