IlohaMail Input Validation Bugs in 'read_message.php' Lets Remote Users Conduct Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1013701
|
|
SecurityTracker URL: http://securitytracker.com/id?1013701
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Apr 14 2005
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 0.8.14-rc2
|
Description: Some input validation vulnerabilities were reported in IlohaMail. A remote user can conduct cross-site scripting attacks.
The 'read_message.php' script does not properly filter HTML code from e-mail content. This occurs when displaying the filename or
MIME type of an attachment and when displaying HTML-based e-mail messages. A remote user can send a specially crafted e-mail to
the target user. When the target user views the message or attributes of the attachment, arbitrary scripting code will be executed
by the target user's browser. The code will originate from the site running the IlohaMail software and will run in the security
context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies),
if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on
the site acting as the target user.
Ulf Harnhammar of the Debian Security Audit Project discovered this vulnerability.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
IlohaMail software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.ilohamail.org/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any)
|
Reported By: Ulf Harnhammar <metaur@telia.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 13 Apr 2005 21:42:30 +0200
From: Ulf Harnhammar <metaur@telia.com>
Subject: ilohamail: XSS security bugs
|
Hello,
I have found a bunch of XSS (cross-site scripting) security problems in ilohamail.
If a victim opens an e-mail message from an attacker in ilohamail, the attacker
may include JavaScript code in the message in several places, and it will be
executed by the victim's browser. This allows for stealing sessions or even
passwords and executing commands in someone else's name.
The XSS bugs exist when:
a) showing the filename of an attachment
b) showing the MIME media type of an attachment
c) showing HTML mails
I have attached test messages and a patch. The test message ilohamail1.msg shows
issue c, and test message ilohamail2.msg shows issues a and b. The patch solves
issues a and b correctly, but the fix for issue c just uses strip_tags(). It can
be bypassed by using allowed HTML elements with dangerous attributes like style
or onMouseOver. A better fix would be to incorporate an HTML stripper library,
like, ahem, my own library kses ( http://sourceforge.net/projects/kses ) or any
similar program.
I have CC'ed upstream.
// Ulf Harnhammar for the Debian Security Audit Project
http://www.debian.org/security/audit/
|
|
