Open-Xchange Web Mail Input Validation Hole Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1015431
|
|
SecurityTracker URL: http://securitytracker.com/id?1015431
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jan 3 2006
|
Impact: Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Version(s): 0.8.1-6 and prior versions
|
Description: A vulnerability was reported in Open-Xchange. A remote user can conduct cross-site scripting attacks.
The WebMail feature does not properly filter HTML code from e-mail messages before displaying the message in HTML format. A remote
user can send a specially crafted e-mail message that, when viewed by a target user, will cause arbitrary scripting code to be executed
by the target user's browser. The code will originate from the site running the Open-Xchange software and will run in the security
context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies),
if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on
the site acting as the target user.
Thomas Pollet reported this vulnerability.
|
Impact: A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the
Open-Xchange software, access data recently submitted by the target user via web form to the site, or take actions on the site acting
as the target user.
|
Solution: No solution was available at the time of this entry.
The report indicates that, as a workaround, you can disable "Inline HTML" in the WebMail options setting.
|
Vendor URL: mirror.open-xchange.org/ox/EN/community/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: Thomas Pollet <thomas.pollet@gmail.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 3 Jan 2006 13:21:22 +0100
From: Thomas Pollet <thomas.pollet@gmail.com>
Subject: [Full-disclosure] Open Xchange XSS
|
--===============0031464283==
Content-Type: multipart/alternative;
boundary="----=_Part_18763_11554617.1136290882452"
------=_Part_18763_11554617.1136290882452
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Open Xchange webmail (<=3D0.8.1-6) suffers from xss.
http://mirror.open-xchange.org/ox/EN/community/
Vendor response:
For the commercial OX you don't need this as there exists additional
security
options where you will not able to use this session. It's a general problem
for
all web based mailers and some of them try to filter such scripts, some of
them
do not and show a warning instead that the document may contains "dangerous
content". But you will never be able to filter all possible scriptings.
Displaying HTML content is ALWAYS an unsecure option, so it is recommended
to
disable "Inline HTML" at the WebMail options. Anyway, I will check if I can
make
some basic filter to get most of such tags.
Cheers,
Thomas
------=_Part_18763_11554617.1136290882452
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Open Xchange webmail (<=3D0.8.1-6)<font style=3D"font-size: 14pt;"> </fo=
nt>suffers from xss.<br>
<a href=3D"http://mirror.open-xchange.org/ox/EN/community/" target=3D"_blan=
k" onclick=3D"return top.js.OpenExtLink(window,event,this)">http://mirror.o=
pen-xchange.org/ox/EN/community/</a><br>
<br>
Vendor response:<br>
For the commercial OX you don't need this as there exists additional securi=
ty<br>
options where you will not able to use this session. It's a general problem=
for<br>
all web based mailers and some of them try to filter such scripts, some of =
them<br>
do not and show a warning instead that the document may contains "dang=
erous<br>
content". But you will never be able to filter all possible scriptings=
.<br>
Displaying HTML content is ALWAYS an unsecure option, so it is recommended =
to<br>
disable "Inline HTML" at the WebMail options. Anyway, I will chec=
k if I can make<br>
some basic filter to get most of such tags.<br>
<br>
Cheers,<br>
<span class=3D"sg">
Thomas<br>
</span>
------=_Part_18763_11554617.1136290882452--
--===============0031464283==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--===============0031464283==--
|
|
