Dangerous HTML TAGS on SPRINTPCS Picure Mail Site

 E-mail
Insufficient input checking on web site allows dangerous HTML TAGS
Systems: LightSurf(tm) Content Delivery system;
Sprint Picture Mail(sm)web site
Severity: Serious
Category: Arbitrary Execution of HTML of Hackers Choice
Classification: Input Validation Error
BugTraq-ID: TBA
Remote Exploit: yes
Local Exploit: yes
Vendor URL: pictures.sprintpcs.com, www.lightsurf.com
Author: Michael S. Scheidell, SECNAP Network Security
Notifications: Sprint Corporate Security Notified on July 11, 2003
Vendor Response: Sprint Security responded on July 11th. They were able to reproduce the problem and worked immediately with LightSurf to fix the problem and rollout fixes.

Discussion:
(From SprintPCS Web site)
View Picture Mail(SM)
Share it when it happens: Surprise your family with daily baby pictures... share vacation shots instantly...create a mobile photo album...send a wireless postcard.

(From Lightsurf(tm) Web site)
Lightsurf is the leading provider of MMS Services, Picture-Messaging, and Premium Content Delivery.

Problem:
Arbitrary input allows user and viewer to input dangerous html tags and scripts into text fields.

1) viewer could input arbitrary script in share comments.
2) User could input arbitrary scripts in body of share message. When a Sprintpcs user takes a picture then sends an email from the phone the system sends a url of their photo on the Picture Mail server to a friend. In the web site referred to by this email, the visitor can add Comments. This comment input allows arbitrary and dangerous HTML tags, javascript and vbscript to be embedded in the comments. The next visitor to the specific url will have this arbitrary HTML executed on their computer.

This can allow a hacker to run arbitrary code of the hackers choice on the users computer. This includes remote Trojans, IRC zombies, spyware, malware, remote key loggers, or any program a hacker wants to. This program will be running inside the corporate network, behind the firewall and access anything the infected user has access to.

Exploit: An example was provided to sprintpcs security and LightSurf. We are not distributing any specific url in public as this would invade the privacy of original sender. Users of sprintpcs may send themselves a picture and in the comments section enter something like this:

window.open("http://www.secnap.com/","OWAFUNIHAD");

To see an exhaustive list of what can happen when unbounded HTML is passed to IE, see www.guninski.com/browsers.html

Solution: Vendor has modified the display routines to output verbatim the input as text (without allowing html execution). If you are using LightSurf product contact them to make sure you have the latest build.

Workaround: None needed, Sprint has fixed the problem. To protect yourself from vbscript, Active-X you can turn off javascript and Active-X execution in Tools >> Internet Options >> Security and edit options in Internet Zone

Credit:
Problem found by Michael Scheidell, SECNAP Network Security vulnerability research team.

The original problem with Microsoft IE found by George Guninski and involved insecure default reading of a malformed HTML Email in Outlook and OE and insecure running of HTML (see www.guninski.com/browsers.html).

Special thanks to the Sprint Security Team for verifying the problem and to LightSurf for their rapid response.

Original copy of this report can be found here
www.secnap.com/security/030711.html

Copyright:
Above Copyright(c) 2003, SECNAP Network Security, LLC. World rights reserved.
This security report can be copied and redistributed electronically provided it is not edited and is quoted in its entirety without written consent of SECNAP Network Security, LLC. Additional information or permission may be obtained by contacting SECNAP Network Security at 561-999-5000

 
 
supercilious
supercilious
supercilious
supercilious