Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23686
HistoryApr 23, 2010 - 12:00 a.m.

XSS and Content Injection in HTC Windows Mobile SMS Preview PopUp

2010-04-2300:00:00
vulners.com
88

XSS and Content Injection in HTC Windows Mobile SMS Preview PopUp

Date: 22.04.2010


  • Description
    Windows Mobile shows message previews if configured to do so. Due to missing input validation the contents of a sms is not properly sanitized and interpreted as it
    is. This can lead to content injection and xss.

  • Example
    Send a sms with the following sample contents to a Windows Mobile based device which has message preview enabled:

  1. <html><head><meta http-equiv="refresh" content="0; URL=http://www.google.de/&quot;&gt;&lt;/head&gt;&lt;/html&gt;
  2. <script>alert('Thats evil')</script>
  3. You know waht you can do with that, find your own…
  • Tested on
    HTC Touch Pro 2, Windows Mobile 6.5
    Other devices from HTC are vulnerable too

  • Solution
    Disable the "Show Message" Option in the notification settings, or if the device is from HTC install the supplied patch for your device (which does the same).

  • Credits

The vulnerability was discovered by Michael Mueller from Integralis
michael#dot#mueller#at#integralis#dot#com

Inspired by the Palm WebOS SMS Hack by intrepidusgroup

  • Timeline
    22.04.2010 - Vulnerabilities discovered
    22.04.2010 - Public release