GMX mail.com XSS page

hms1160 · Post by **hms1160** » Wed May 21, 2014 12:56 am

When trying to log in to my mail.com account, I get the following page. Here's a screen shot of what I mean:

I've contacted mail.com to let them know of the situation and have not heard back yet. I wanted to know if this is a false positive or if it's something they need to get on ASAP. And here's what was logged on the console:

Error in parsing value for 'background'. Declaration dropped. default-final.css:1
Expected color but found 'top'. Error in parsing value for 'background'. Declaration dropped. default-final.css:1
Expected 'none' or URL but found 'progid'. Error in parsing value for 'filter'. Declaration dropped. default-final.css:1
Expected 'none' or URL but found 'alpha('. Error in parsing value for 'filter'. Declaration dropped. default-final.css:1
Unknown property '-moz-opacity'. Declaration dropped. default-final.css:1
Unknown property '-moz-border-radius'. Declaration dropped. default-final.css:1
Error in parsing value for 'z-index'. Declaration dropped. default-final.css:1
Error in parsing value for 'min-width'. Declaration dropped. default-final.css:1
Expected color but found '-webkit-focus-ring-color'. Error in parsing value for 'outline'. Declaration dropped. default-final.css:1
Permission denied to access property 'document' rtcDefault.xml:43
Use of getPreventDefault() is deprecated. Use defaultPrevented instead.

Post by **Thrawn** » Wed May 21, 2014 3:04 am

The console logs you posted didn't include the XSS message...can you try again? Maybe disabling CSS messages?

hms1160 · Post by **hms1160** » Wed May 21, 2014 5:22 am

Forgive my ignorance as I'm not exactly tech savvy, but how would I disable CSS messages, and where would I find the XSS messages?

Post by **Giorgio Maone** » Wed May 21, 2014 10:27 am

Known issue with the new gmx.com UI, worked-around in NoScript 2.6.8.25.

boris · Post by **boris** » Fri May 23, 2014 3:23 pm

Giorgio Maone wrote:Known issue with the new gmx.com UI, worked-around in NoScript 2.6.8.25.

Same issue with Firefox 29.0.1 for Linux new profile & NoScript 2.6.8.25. Whitelist:

Code: Select all

mail.com
uicdn.com
ui-portal.de

Browser console output:

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [https://login.mail.com/login#.1258-header-login1-1###DATA###https%3A%2F%2F%24%28clientName%29-%24%28dataCenter%29.mail.com%2Flogin] from [https://www.mail.com/int/]: transformed into a download-only GET request.

Trying to fix it myself, I added one exception:

Code: Select all

^https://login\.mail\.com\/login.*$

the website works, but the Browser Console says:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [https://navigator-lxa.mail.com/login?edition=int&uasMobileServiceID=mobile.web.mail.mailcom.live&btnLogin=Log%20in&usertype=standard&ssl=true&mobileSuccessURL=https://mobile-$(clientName)-$(dataCenter).mail.com/login&lang=en&uasServiceID=mc_starter_mailcom&device=desktop&ott=9d72f85f-634b-40ff-8ef0-c5385058c0cd#.1258-header-login1-1] requested from [https://www.mail.com/int/]. Sanitized URL: [https://navigator-lxa.mail.com/login?edition=int&uasMobileServiceID=mobile.web.mail.mailcom.live&btnLogin=Log%20in&usertype=standard&ssl=true&mobileSuccessURL=https%3A%2F%2Fmobile-%2524%2520clientname%2520-%2524%2520datacenter%2520.mail.com%2Flogin%2339614811893832136627&lang=en&uasServiceID=mc_starter_mailcom&device=desktop&ott=9d72f85f-634b-40ff-8ef0-c5385058c0cd#7006545986910568443].

I've found your GMX fix on RequestWatchdog.js; please, maybe if you add the following code to your addon you can fix this issue.

Code: Select all

if (targetSite === "https://login.mail.com" && /^https?:\/\/(?:(?:www\.)?mail|s\.uicdn)\.com$/.test(originSite)) {
          return ;
        }

Post by **Giorgio Maone** » Fri May 23, 2014 8:37 pm

Please check latest development build 2.6.8.26rc1, thanks.

G. Niemann · Post by **G. Niemann** » Tue May 27, 2014 2:32 pm

boris wrote:
Giorgio Maone wrote:Known issue with the new gmx.com UI, worked-around in NoScript 2.6.8.25.

Trying to fix it myself, I added one exception:
Code: Select all
^https://login\.mail\.com\/login.*$

-worked perfectly; thank you

Post by **therube** » Tue May 27, 2014 4:45 pm

> worked perfectly

What was that, the latest development build 2.6.8.26rc1 (& after reverting exception)?

Post by **Giorgio Maone** » Thu May 29, 2014 10:21 pm

Please check latest development build 2.6.8.27rc1, too, thanks.

CatKiller · Post by **CatKiller** » Thu Jun 05, 2014 8:22 pm

- it isn´t problem for NoScript, but problem for addons FF - name Clean Links ; when CL is deactivated, problem missing - testing on FF/Nightly v32

InformAction Forums

GMX mail.com XSS page

GMX mail.com XSS page

Re: GMX mail.com XSS page

Re: GMX mail.com XSS page

Re: GMX mail.com XSS page

Re: GMX mail.com XSS page

Re: GMX mail.com XSS page

Re: GMX mail.com XSS page

Re: GMX mail.com XSS page

Re: GMX mail.com XSS page

Re: GMX mail.com XSS page