------------------------------------------ More Vulnerabilities In Rediffmail.com ------------------------------------------ - Viper [ viper31337@yahoo.co.in ] aka JunkCode / Gregory R. Panakkal - http://www.crapware.tk About Vendor: Rediff.com ------------------------ Rediffmail.com from Rediff, is a premier portal in India, with a very large user-base. Rediffmail is among the few e-mail providers that provides 1GB freespace. A vunerability that affects such a provider, is critical to the users. About Rediffmail.com -------------------- Ever since my last vulnerability report regarding Rediff, they have made drastic changes to the webmail interface, adding script-filters, image-filters etc.. in an attempt to avoid furter attacks. THIS REPORT PRESENTS EXPLOIT/CODES TO BYPASS THESE FILTERS, AND ALSO PRESENTS THREE POSSIBLE ATTACKS OF THE REDIFFMAIL (WEBAMAIL) USERS. ################################# # # # BYPASSING IMAGE-BLOCK FILTERS # # # ################################# The images in a mail are blocked by default. This has been implemented by Rediffmail for security reasons, to avoid web-bugs etc.. that can be used to track a user. This image-block filter can be bypassed in case the user uses Internet Explorer. The following, causes the web-bug to get loaded (and display momentarily, if its a picture). ############################ # # # BYPASSING SCRIPT FILTERS # # # ############################ Rediffmail does its script filtering in a variety of ways, by inserting '-' (hyphen) in between the letters of html/script tags like to get embedded in the mail when viewed (html-source) by the user. I hope you get the idea, ie. this is to be done by totally avoiding functions like document.write() etc.. Now, while i was looking at a way to get ' also injected, and a very similar approach was taken. Now, the whole combined code that is to be sent to the rediffmail account is... --START/CODE-- '; --END/CODE-- You might wonder, why is a variable 'abc' has been inserted, towards the end, before the
REDIFF LOGOUT TEST
 
'); abc=' ================================================================ 3. Remote Attacker Can Enable Auto-Reply Option (Spoofing Reply) ================================================================ A Remote Attacker, can spoof replies to mail sent to a target user's account. This attack, can be viewed as a social-engg attack, in which a Email-Changed notification mail can be sent. Proof Of Concept ----------------
REDIFF VACATION REPLY TEST
 
'); abc=' ############ # # # SOLUTION # # # ############ Client Side : Disable Active Scripting Server Side : Implement The Perfect Script Filtering. :)