While playing around with the webmail server (Iplanet Messaging) of my old 

ISP (Terra Networks) I noticed something really strange that I could not 

believe in: it was possible to do a XSS through an html attachment. In 

fact, with Iplanet Messaging you can open an html attachments "online", so 

the code is executed in the webmail domain context...  ooops!



First I tried a script to steal the cookie, and it worked. Then I tried it 

on others Iplanet installations and I could not get the cookie... :-(



I don`t exactly know how Iplanet Messaging tracks http sessions, but after 

looking some of the http flow, I think it only looks for a session 

id "sid" parameter.The "SID" is sent in any request in the URI request, so 

it seems there's no need for any cookie... My old ISP (www.terra.es), 

seems to be using although cookies, and some kind of javascript filtering 

(Maybe Firewall-1 resource), but it's easy to trick the filtering device 

(it looks inside "body" tags, but the script doesn't need those tags to be 

executed),... but this is another story.



So, for Iplanet Messaging: it seems that you can execute scripts on the 

webmail domain context, and an attacker can use it to steal Session ID's. 

Our tests have been done on two environments, HTTP and HTTPS, both of them 

successfully exploited.



How to reproduce:



All you have to do is send an attachment with the next code:



<html>

&lt;script&gt;alert(document.URL)&lt;/script&gt;

</html>



The URL in the alert box has the "sid" we are looking for.

Notice that, it's really easy to exploit this, the attacker do not need to 

create a special crafted HTTP request with a stolen cookie header, he only 

needs to do a "copy-paste" of the URL...



Can anyone replicate this?

Is this an Iplanet Messaging bug?



Any feedback will be appreciated,



Sincerely,



Hugo Vázquez Caramés & Toni Cortés Martínez

INFOHACKING RESEARCH 2003

http://www.infohacking.com

Barcelona

Spain