Security Advisory: MVSA-10-002
Vendor: Google
Service: Google Message Security SaaS (powered by Postini)
- Security Console (Admin Console)
- Message Center Classic
- Message Center II
Vulnerabilities: Multiple Cross-Site Scripting (XSS)
Risk: High
Attack Vector: From Remote
Authentication: Required
Reference: http://www.ventuneac.net/security-advisories/MVSA-10-002
http://secureappdev.blogspot.com/2010/09/testing-google-message-security-saas.html
Description
Multiple persistent and reflected Cross-Site Scripting (XSS) vulnerabilities
were identified in Security Console (Admin Console), Message Center Classic and
Message Center II services of Google Message Security (powered by Postini).
When exploited, the identified vulnerabilities could lead to Session Hijack,
Information Disclosure, force installation of malicious file or Trojan on
users' PCs, etc.
Security Console (Admin Console)
--------------------------------
* Persistent XSS: parameter setconf-neworg of /exec/admin_orgs resource
allows an attacker to inject malicious HTML and JavaScript code which is
persistently stored as part of a sub-organization name (ORGS and USERS>Orgs>Add
Sub-Org).
Additionally, an effective DoS attack can be mounted against the
organization's administrators by injecting malicious code which prevents the
Web user interface to render properly.
* Reflected XSS: multiple parameters of /exec/admin_list resource
* Reflected XSS: multiple parameters of /exec/admin_auth resource.
Message Center Classic
----------------------
* Reflected XSS: parameters add-good_address and add-bad_address of
/exec/MsgSet resource.
/exec/MsgSet?action=change_MsgSettings?add-good_addresses=a%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Save+to+List&submit=Save+to+List
/exec/MsgSet?action=change_MsgSettings?add-bad_addresses=a%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E&submit=Save+to+List&submit=Save+to+List
* Reflected XSS: parameters msgid and disp parameters of /exec/MsgCtr
resource.
/exec/MsgCtr?action=display_Message&msgid=" style%3d"display: block; width:
500px; height: 500px; border: 5px solid black"
onmouseover%3d"javascript:alert(1)" yyy&disp=M
When Firefox 3.0.x is used (tested with FF 3.0.1), the attack above allows
rendering visible the hidden INPUT element. Thus, the injected JavaScript code
is successfully executed using onmouseover event.
/exec/MsgCtr?action=display_Message&msgid=yyy&disp=M"
onmouseover%3d"javascript: alert(1)"
Message Center II
-----------------
* Reflected XSS: parameters id and source_uri of /msgctr/message_display
resource.
/msgctr/message_display?id='%3balert(1)%3b//&source_uri=/app/msgctr/junk_quarantine
/msgctr/message_display?id=yyy&trash=trash&source_uri=%2Fapp%2Fmsgctr%2Ftrash%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E
Affected Versions
Security Console build 6_24 (January 2010).
Message Center Classic build 6_24 (January 2010).
Message Center II build 6_24 (January 2010), build 6_25 (February 2010), build
6_26 (March 2010) and build 6_27 (April 2010).
Mitigation
Google fixed a first batch of vulnerabilities affecting Security Console and
Message Center Classic in build 6_25 (February 2010).
Additional fixes were included in subsequent releases, with the last fixes
added in build 6_29 (June 2010).
Disclosure Timeline
2010, January 24: Security Console and Message Centre II vulnerabilities
discovered
2010, January 24: Notification sent to Google
2010, January 25: Google acknowledges the vulnerabilities
2010, February 22: Google deploys first set of fixes
2010, April 27: Additional vulnerabilities identified and notification sent to
Google
2010, April 28: Additional vulnerabilities identified and notification sent to
Google
2010, June 21: Google deploys additional fixes
2010, September 15: MVSA-10-002 advisory published.
Credits
Dr. Marian Ventuneac
http://ventuneac.net