Horde Internet Messaging Program (IMP) Cross-Site Scripting Flaw Lets Remote Users Steal Session Cookies and Hijack E-mail Sessions
SecurityTracker Alert ID: 1002726|
SecurityTracker URL: http://securitytracker.com/id/1002726
(Links to External Site)
Date: Nov 9 2001
Disclosure of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): All stable versions up through 2.2.6|
A cross-site scripting vulnerability has been reported in the Horde Project Internet Messaging Program (IMP). A remote user can potentially hijack an IMP session.|
It is reported that a remote user can create a malicious HTML-based e-mail message such that, when the message is viewed, arbitrary code is executed by the target user's browser. The code will appear to originate from the mail server and will be able to access the user's web mail cookies and forward those cookies to another location.
After obtaining the cookies, the remote user can then hijack the session and read the target user's email.
It is reported that the development version 2.3 and 3.0 Release Candidate 1 are not affected by this vulnerability.
The vendor has reportedly been notified.
A demonstration exploit URL is provided in the Source Message.
A remote user can hijack another user's email session.|
A new version is pending and will be available shortly. A patch is available. The author of the report states that you can apply the patch using:|
or just escape the $message variable
$message = htmlspecialchars($message);
if your imp installation is already heavily customized.
Vendor URL: www.horde.org/imp/ (Links to External Site)
Input validation error|
|Underlying OS: Linux (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: Imp Webmail session hijacking vulnerability|
- After hijacking the cookies, the attacker can use the session and read
- Imp webmail is part of the Horde Application Framework, at
- Imp is included in the Linux Madrake, Conectiva Distributions.
- It's used in several webmail sites, some of which
- All stable imp webmail versions, up to 2.2.6 including are vulnerable, the
devel version, 2.3 and 3.0 Release Candidate 1 are not affected by this
- The horde team was warned about this and have commited a fix,
- To apply the patch use
- To exploit this vulnerability using a text message, the attacker sends an
which in return redirects the user's browser to the attacker's server where
he hijacks the cookies that the browser used in the context of the webmail
site, and the session therefore.
This attack is just one more example on how trusting user input is a Bad
Thing(tm), as well as the risks inherent to cross-site script attacks.
cookie-based session sites, after reading about the MS Wallet attack and saw
how almost 2 years after the CERT advisory on these techniques, lots of
applications are still vulnerable. There are probably lots of kids around
exploiting similar vulnerabilities. So check your web applications for
similar vulnerabilities and ask yourself how many times have you pasted
directly into the html some variable passed by the url or cookie.
- For more info on cross-site scripting, read CERT advisory and
Imp Project homepage:
Marc Slemko's "Microsoft Passport to Trouble":
CERT advisory on cross-site scripting
Phibernet Information Network