HTML / CSS injection in Mail.Ru mail
Everything new is a well-forgotten old: I remember that several years ago there was a bug in LiveJournal that allowed elements to be inserted into the comment text to be assigned absolute positioning. In fact, everything described in this post is based on this idea.
The described vulnerability applies to any input form that allows the input of custom HTML-code.
Because the idea of assigning a property to position using inline-styles is not new, most services filter such styles.
Developing this idea, we will try to assign to the element a class that already exists in the layout, which has the necessary value of the property we need.
Finding a class with the necessary properties is not difficult, using the search on the CSS tab in FireBug:
')
If the class had any extra properties, then they could be blocked using inline-styles.
Consider the following letter code:
When viewing such a letter in the web interface, the user will see the beautiful:
Thus, our div has absolute positioning and obscures other interface elements.
Obviously, the greatest danger of such a vulnerability is the ability to make a phishing authorization form. The user does not leave the site anywhere and sees a completely legitimate address in the browser's string. In combination with the existing CSRF vulnerability, you can insert a picture with the exit URL from the mail, as a result, opening a letter will indeed lead to the need for authorization.
To prevent problems, you need to exclude the possibility of using classes in custom HTML code: the Rambler mail, for example, adds a prefix to the class names, the Yandex mail simply deletes the class property.
UPD. Mail.Ru employees made a desperate but unsuccessful attempt to fix the bug. ;-)
UPD. 2: After a brief struggle, the bug was fixed.
The described vulnerability applies to any input form that allows the input of custom HTML-code.
Because the idea of assigning a property to position using inline-styles is not new, most services filter such styles.
Developing this idea, we will try to assign to the element a class that already exists in the layout, which has the necessary value of the property we need.
Finding a class with the necessary properties is not difficult, using the search on the CSS tab in FireBug:
')
If the class had any extra properties, then they could be blocked using inline-styles.
Consider the following letter code:
< div class = "pAbs" style = "top: 0; left: 0; width: 100%; height: 100%; background-color: pink; z-index: 65535;" >
< h1 > , %username%! < / h1 >
< / div >When viewing such a letter in the web interface, the user will see the beautiful:
Thus, our div has absolute positioning and obscures other interface elements.
Obviously, the greatest danger of such a vulnerability is the ability to make a phishing authorization form. The user does not leave the site anywhere and sees a completely legitimate address in the browser's string. In combination with the existing CSRF vulnerability, you can insert a picture with the exit URL from the mail, as a result, opening a letter will indeed lead to the need for authorization.
To prevent problems, you need to exclude the possibility of using classes in custom HTML code: the Rambler mail, for example, adds a prefix to the class names, the Yandex mail simply deletes the class property.
UPD. Mail.Ru employees made a desperate but unsuccessful attempt to fix the bug. ;-)
UPD. 2: After a brief struggle, the bug was fixed.
Source: https://habr.com/ru/post/130485/
All Articles