InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

GMX mail.com XSS page

https://forums.informaction.com/viewtopic.php?t=19690

Page 1 of 1

GMX mail.com XSS page

Posted: Wed May 21, 2014 12:56 am
by hms1160
When trying to log in to my mail.com account, I get the following page. Here's a screen shot of what I mean:

Image

I've contacted mail.com to let them know of the situation and have not heard back yet. I wanted to know if this is a false positive or if it's something they need to get on ASAP. And here's what was logged on the console:
Error in parsing value for 'background'. Declaration dropped. default-final.css:1
Expected color but found 'top'. Error in parsing value for 'background'. Declaration dropped. default-final.css:1
Expected 'none' or URL but found 'progid'. Error in parsing value for 'filter'. Declaration dropped. default-final.css:1
Expected 'none' or URL but found 'alpha('. Error in parsing value for 'filter'. Declaration dropped. default-final.css:1
Unknown property '-moz-opacity'. Declaration dropped. default-final.css:1
Unknown property '-moz-border-radius'. Declaration dropped. default-final.css:1
Error in parsing value for 'z-index'. Declaration dropped. default-final.css:1
Error in parsing value for 'min-width'. Declaration dropped. default-final.css:1
Expected color but found '-webkit-focus-ring-color'. Error in parsing value for 'outline'. Declaration dropped. default-final.css:1
Permission denied to access property 'document' rtcDefault.xml:43
Use of getPreventDefault() is deprecated. Use defaultPrevented instead.

Re: GMX mail.com XSS page

Posted: Wed May 21, 2014 3:04 am
by Thrawn
The console logs you posted didn't include the XSS message...can you try again? Maybe disabling CSS messages?

Re: GMX mail.com XSS page

Posted: Wed May 21, 2014 5:22 am
by hms1160
Forgive my ignorance as I'm not exactly tech savvy, but how would I disable CSS messages, and where would I find the XSS messages?

Re: GMX mail.com XSS page

Posted: Wed May 21, 2014 10:27 am
by Giorgio Maone
Known issue with the new gmx.com UI, worked-around in NoScript 2.6.8.25.

Re: GMX mail.com XSS page

Posted: Fri May 23, 2014 3:23 pm
by boris
Giorgio Maone wrote:Known issue with the new gmx.com UI, worked-around in NoScript 2.6.8.25.
Same issue with Firefox 29.0.1 for Linux new profile & NoScript 2.6.8.25. Whitelist:

Code: Select all

mail.com
uicdn.com
ui-portal.de
Browser console output:

Code: Select all

[NoScript XSS] Sanitized suspicious upload to [https://login.mail.com/login#.1258-header-login1-1###DATA###https%3A%2F%2F%24%28clientName%29-%24%28dataCenter%29.mail.com%2Flogin] from [https://www.mail.com/int/]: transformed into a download-only GET request.
Trying to fix it myself, I added one exception:

Code: Select all

^https://login\.mail\.com\/login.*$
the website works, but the Browser Console says:

Code: Select all

[NoScript XSS] Sanitized suspicious request. Original URL [https://navigator-lxa.mail.com/login?edition=int&uasMobileServiceID=mobile.web.mail.mailcom.live&btnLogin=Log%20in&usertype=standard&ssl=true&mobileSuccessURL=https://mobile-$(clientName)-$(dataCenter).mail.com/login&lang=en&uasServiceID=mc_starter_mailcom&device=desktop&ott=9d72f85f-634b-40ff-8ef0-c5385058c0cd#.1258-header-login1-1] requested from [https://www.mail.com/int/]. Sanitized URL: [https://navigator-lxa.mail.com/login?edition=int&uasMobileServiceID=mobile.web.mail.mailcom.live&btnLogin=Log%20in&usertype=standard&ssl=true&mobileSuccessURL=https%3A%2F%2Fmobile-%2524%2520clientname%2520-%2524%2520datacenter%2520.mail.com%2Flogin%2339614811893832136627&lang=en&uasServiceID=mc_starter_mailcom&device=desktop&ott=9d72f85f-634b-40ff-8ef0-c5385058c0cd#7006545986910568443].
I've found your GMX fix on RequestWatchdog.js; please, maybe if you add the following code to your addon you can fix this issue.

Code: Select all

if (targetSite === "https://login.mail.com" && /^https?:\/\/(?:(?:www\.)?mail|s\.uicdn)\.com$/.test(originSite)) {
          return ;
        }

Re: GMX mail.com XSS page

Posted: Fri May 23, 2014 8:37 pm
by Giorgio Maone
Please check latest development build 2.6.8.26rc1, thanks.

Re: GMX mail.com XSS page

Posted: Tue May 27, 2014 2:32 pm
by G. Niemann
boris wrote:
Giorgio Maone wrote:Known issue with the new gmx.com UI, worked-around in NoScript 2.6.8.25.

Trying to fix it myself, I added one exception:

Code: Select all

^https://login\.mail\.com\/login.*$

-worked perfectly; thank you :!:

Re: GMX mail.com XSS page

Posted: Tue May 27, 2014 4:45 pm
by therube
> worked perfectly

What was that, the latest development build 2.6.8.26rc1 (& after reverting exception)?

Re: GMX mail.com XSS page

Posted: Thu May 29, 2014 10:21 pm
by Giorgio Maone
Please check latest development build 2.6.8.27rc1, too, thanks.

Re: GMX mail.com XSS page

Posted: Thu Jun 05, 2014 8:22 pm
by CatKiller
- it isnĀ“t problem for NoScript, but problem for addons FF - name Clean Links ; when CL is deactivated, problem missing - testing on FF/Nightly v32 :D
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited