SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   SquirrelMail Plugin (Address Add) Vendors:   Conner, Jimmy
SquirrelMail 'Address Add' Plugin Input Validation Holes Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1014988
SecurityTracker URL:  http://securitytracker.com/id/1014988
CVE Reference:   CVE-2005-3128   (Links to External Site)
Updated:  Jun 15 2008
Original Entry Date:  Sep 29 2005
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 2.1
Description:   A vulnerability was reported in the 'Address Add' plugin for SquirrelMail. A remote user can conduct cross-site scripting attacks.

The plugin does not properly filter HTML code from user-supplied input before displaying the input. A remote user can send a specially crafted email that, when processed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the SquirrelMail plugin and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit URL is provided:

/squirrelmail_root_dir/plugins/address_add/add.php?first=HOVER%20ME!%22%20onMouseOver=%22alert('foo');

The 'first' parameter and other parameters are affected.

The vendor was notified on September 24, 2005.

Moritz Naumann IT Consulting & Services reported this vulnerability.

The original advisory is available at:

http://moritz-naumann.com/adv/0002/sqmadd/0002.txt

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the SquirrelMail plugin software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fixed version of the plugin (2.1), available at:

http://sqmail.org

Vendor URL:  www.sqmail.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [Full-disclosure] SquirrelMail Address Add Plugin XSS

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



SA0002

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++        SquirrelMail Address Add Plugin XSS        +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


PUBLISHED ON
  Sep 28, 2005


PUBLISHED AT
  http://moritz-naumann.com/adv/0002/sqmadd/0002.txt


PUBLISHED BY
  Moritz Naumann IT Consulting & Services
  Hamburg/Germany
  http://moritz-naumann.com/

  info AT moritz HYPHON naumann D0T com
  GPG key: http://moritz-naumann.com/keys/0x277F060C.asc


AFFECTED PRODUCT OR SERVICE
  Address Add Plugin for Squirrelmail >= v1.4.0
  by Jimmy Conner
  http://sqmail.org/


AFFECTED VERSION
  Address Add Plugin Versions 1.9 and 2.0
  Possibly versions < 1.9 (untested)


BACKGROUND
  Everybody knows XSS.
  http://en.wikipedia.org/wiki/XSS
  http://www.cgisecurity.net/articles/xss-faq.shtml


ISSUE
  A XSS vulnerability has been detected in the Address Add Plugin for
  Squirrelmail. The problem is caused by insufficient input sanitation.

  Sending a HTML email containing an IMG tag which provides a SRC
  attribute pointing at the vulnerable plugin may allow an attacker to
  retrieve the victims' cookie and session information without the
  victim being aware. The exploit may be triggered when the victim
  clicks on a specially crafted URL contained in the email and hovers
  the address book form field.

  The following partial URL demonstrates the issue:

/squirrelmail_root_dir/plugins/address_add/add.php?first=HOVER%20ME!%22%20onMouseOver=%22alert('foo');

  Please move your mouse pointer over the input field which says so.

  Other variables on this script can be misused in the same way.


WORKAROUND
  Disable Javascript or disable plugin.


SOLUTIONS
  Version 2.1 of the plugin fixes the issue. The update is available on
  boths the developers' website at
    http://sqmail.org
  and on the SquirrelMail website at
    http://squirrelmail.org/plugin_view.php?id=101


TIMELINE
  Sep 24, 2005: Maintainer informed
  Sep 25, 2005: First maintainer reply
  Sep 25, 2005: Maintainer provides fix
  Sep 29, 2005: Public disclosure


CREDIT
  N/A


LICENSE
  Creative Commons Attribution-ShareAlike License Germany
  http://creativecommons.org/licenses/by-sa/2.0/de/



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDOx0En6GkvSd/BgwRAu4MAKCFk8Qawjt5p5oG1NYJpbvb9S1P5wCfdhDx
KWCJsXrTsmDnB3zv9gN3Nec=
=+0J4
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC