[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] RS-2004-2: "Content-Type" XSS vulnerability affecting other webmail systems
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: [Full-Disclosure] RS-2004-2: "Content-Type" XSS vulnerability affecting other webmail systems
- From: Roman Medina-Heigl Hernandez <roman@xxxxxxxxxxx>
- Date: Mon, 05 Jul 2004 20:28:16 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello,
On 29.May.2004, I disclosed an important XSS vulnerability in latest
versions of a well-known webmail: SquirrelMail. Upon publication I
received the notice that other important webmails were also vulnerable
to the same bug. Indeed the same exploits released for SquirrelMail
worked without any changes in these systems. I decided to contact
several other webmail vendors and ask directly to check their software
and confirm or deny the vulnerability.
The purpose of this brief advisory is to provide you with the
collected info in an objective and summarized way.
PS: Sorry for the big delay.
Saludos,
--Roman
- --
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB 29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBQOmPneR/in3q1WdCEQKHUQCfaNoy7mu+g0AKsK9LFiwVyT5zXJEAoIzW
h0imdE0FayaQLIFBiX47hpHW
=9k38
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===============================
- RS-Labs Security Advisory -
===============================
Tittle: "Content-Type" XSS vulnerability affecting other webmail systems
ID: RS-2004-2
Severity: Medium / High - Arbitrary tags injection in victim's browser context
Date: 30.Jun.2004
Author: Román Medina-Heigl Hernández (a.k.a. RoMaNSoFt) <roman@xxxxxxxxxxx>
URL: http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-2.txt
.: [ SUMMARY ]
On 29.May.2004, I disclosed an important XSS vulnerability in latest versions
of a well-known webmail: SquirrelMail. Upon publication I received the notice
that other important webmails were also vulnerable to the same bug. Indeed the
same exploits released for SquirrelMail worked without any changes in these
systems. I decided to contact several other webmail vendors and ask directly to
check their software and confirm or deny the vulnerability.
The purpose of this brief advisory is to provide you with the collected info
in an objective and summarized way.
.: [ RESULTS ]
- - IMP 3.2.3 (from Horde project). Vulnerable.
"A new IMP version (3.2.4) that fixes this vulnerability has been released.
Thanks for working with us to reproduce this flaw and letting us know about
this security hole."
[Jan Schneider]
Solution: upgrade to release 3.2.4.
- - OpenWebmail 2.32. Vulnerable.
"This bug in openwebmail has already been fixed since openwebmail-2.32
20040603".
[Chung-Kie Tung]
Solution: upgrade to "openwebmail-current.tgz".
- - IlohaMail 0.8.12. Vulnerable.
"A vulnerability similar to the one you describe in your advisor was found
in IlohaMail some time ago, and was fixed on April 8th. However, since
there has not been a release since then, the fix is currently only
available in CVS."
[Ryo Chijiiwa]
Solution: upgrade to release 0.8.13.
- - Sqwebmail 4.0.4. Vulnerable (to similar bug).
"Although sqwebmail did not have this content-type: vulnerability, versions
4.0.4 had a similar, related, cross-site scripting vulnerability when using
the "full headers" command, which was fixed in 4.0.5"
[Sam Varshavchik]
Solution: upgrade to release 4.0.5.
- - Camas. Not vulnerable.
"I tested the two exploits with Courier-IMAP as the IMAP server and it
doesn't work (at least without modifications and lookup in the source
code) and can't work for 3 reasons:
1) Camas IMAP client doesn't use BODYSTRUCTURE
2) Pike's MIME.Message object is quite picky and won't allow any strange
content-type (tested with 7.6 and 7.2 which all Camas maintained
versions used). Camas's IMAP client (which is everything except perfect)
actually fail because of this (at least one good one point in it) so you
can't read such a mail (but you can delete or move it).
3) Camas escapes any HTML/XHTML characters regarding content type and
file name (btw can be interested to change the filename and check the
result in SM...)"
[David Gourdelier]
- - BasiliX. Not vulnerable.
"Similar problems were reported in BasiliX-1.1.0 (and probably earlier
versions). When I took over maintenance of the project, between 1.1.0
and 1.1.1, some had been addressed and others hadn't. One of my first
priorities was to fix this problem. As far as I am aware, these issues
have been fixed in the latest stable release, BasiliX-1.1.1fix1, and in
the upcoming release 1.1.2. In fact the fix1 release was released very
quickly (within 24 hours) after 1.1.1 as a couple of XSS problems had
slipped the net.
As far as my tests go:
BasiliX-1.1.0 and earlier - vulnerable
BasiliX-1.1.1 (Nov 17 2003) - vulnerable
BasiliX-1.1.1_fix1 (Nov 18 2003) - not vulnerable
BasiliX cvs (and upcoming release) - not vulnerable"
[Mike Peters]
- - Hastymail. Not vulnerable.
Release 1.0 and current CVS are reported to be non-vulnerable.
" I am unable to duplicate the exploit with
hastymail, and I believe it to be secure against this particular attack. I
might also mention that hastymail uses NO javascript (one of our coding
guidelines) so users can disable it completely if need be."
[Jason Munro]
- - GatorMail. Not vulnerable.
"That said, I did a review and noticed that I missed a few on* events in
html mail view which has been fixed in CVS and a hot fix has been
applied to the only install of GatorMail I know of."
[Sandy McArthur]
- - JAWmail. Not vulnerable.
"JAWmail 2.0 and upward is not vulnerable to 'From address HTML code
insertion'. Also, JAWmail 1.x is not vulnerable. Same for Content-Type XSS bug."
[Rudi Benkoviè]
"I checked it against JAWmail 1.0.2 and it's save against this.
Since JAWmail uses imap_rfc822_write_address() for quite some while know to
generate a propper formatted output, I do not think that any older version is
vulnerable. I do not remember changing that part since I started with JAWmail
(was Version 0.9.18 I think)"
[Sebastian Dietz]
- - NS WebMail. Not vulnerable.
"Looking through my code, NS WebMail is not vulnerable (headers are
semi-"converted" using html entities before displaying).
However, there were dozens of other security concerns (even worse and
some more obvious) before 0.10.2, so in any case i urge my users to
upgrade to that version."
[Alexandre Aufrere]
.: [ ACKNOWLEDGMENTS ]
Some credits and thanks go to:
- - George Theall <theall@xxxxxxxxxxxx> reported IMP 3.2.3 being vulnerable
- - Alejandro Ramos <aramosf@xxxxxxxxx> reported OpenWebmail 2.32 being
vulnerable
- - Jan Schneider <jan@xxxxxxxxx>. Horde (reported IMP 3.2.4 "fix" release)
- - Chuck Hagenbuch <chuck@xxxxxxxxx>. Horde (fixed IMP code)
- - Chung-Kie Tung <openwebmail@xxxxxxxxxxxxxxxxxxxxx>. OpenWebmail.
- - Sam Varshavchik <mrsam@xxxxxxxxxxxxxxx>. SqWebmail
- - Xavier Beaudouin <kiwi@xxxxxxx>. Camas
- - David Gourdelier <vida@xxxxxxxxxxx>. Camas
- - Ryo Chijiiwa <ryo@xxxxxxxxxxxxx>. IlohaMail
- - Mike Peters <basilix@xxxxxxxxx>. BasiliX
- - Jason Munro <jason@xxxxxxxxxx>. Hastymail
- - Sandy McArthur <Sandy@xxxxxxxxxxxx>. GatorMail
- - Rudi Benkoviè <rudi@xxxxxxxxxxx>. JAWmail
- - Sebastian Dietz <sebastian@xxxxxxxxxxx>. JAWmail.
- - Alexandre Aufrere <loopkin@xxxxxxxxxxxx>. NS WebMail
.: [ REFERENCES ]
* RS-2004-1 Advisory: SquirrelMail "Content-Type" XSS vulnerability
http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
* RoMaNSoFt's Research Labs
http://www.rs-labs.com/
-=EOF=-
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
iQA/AwUBQOmN5eR/in3q1WdCEQLZjgCdHAZUTgNdTgLNXykoK0bpDdGnijgAnjJk
RMBD19qs+/sUhvyM9PXCIh5p
=vk2N
-----END PGP SIGNATURE-----