lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <433B1D04.4070300@moritz-naumann.com>
Date: Thu, 29 Sep 2005 00:45:24 +0200
From: Moritz Naumann <info@...itz-naumann.com>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>, 
	bugtraq@...urityfocus.com
Subject: SquirrelMail Address Add Plugin XSS


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



SA0002

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++        SquirrelMail Address Add Plugin XSS        +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


PUBLISHED ON
  Sep 28, 2005


PUBLISHED AT
  http://moritz-naumann.com/adv/0002/sqmadd/0002.txt


PUBLISHED BY
  Moritz Naumann IT Consulting & Services
  Hamburg/Germany
  http://moritz-naumann.com/

  info AT moritz HYPHON naumann D0T com
  GPG key: http://moritz-naumann.com/keys/0x277F060C.asc


AFFECTED PRODUCT OR SERVICE
  Address Add Plugin for Squirrelmail >= v1.4.0
  by Jimmy Conner
  http://sqmail.org/


AFFECTED VERSION
  Address Add Plugin Versions 1.9 and 2.0
  Possibly versions < 1.9 (untested)


BACKGROUND
  Everybody knows XSS.
  http://en.wikipedia.org/wiki/XSS
  http://www.cgisecurity.net/articles/xss-faq.shtml


ISSUE
  A XSS vulnerability has been detected in the Address Add Plugin for
  Squirrelmail. The problem is caused by insufficient input sanitation.

  Sending a HTML email containing an IMG tag which provides a SRC
  attribute pointing at the vulnerable plugin may allow an attacker to
  retrieve the victims' cookie and session information without the
  victim being aware. The exploit may be triggered when the victim
  clicks on a specially crafted URL contained in the email and hovers
  the address book form field.

  The following partial URL demonstrates the issue:

/squirrelmail_root_dir/plugins/address_add/add.php?first=HOVER%20ME!%22%20onMouseOver=%22alert('foo');

  Please move your mouse pointer over the input field which says so.

  Other variables on this script can be misused in the same way.


WORKAROUND
  Disable Javascript or disable plugin.


SOLUTIONS
  Version 2.1 of the plugin fixes the issue. The update is available on
  boths the developers' website at
    http://sqmail.org
  and on the SquirrelMail website at
    http://squirrelmail.org/plugin_view.php?id=101


TIMELINE
  Sep 24, 2005: Maintainer informed
  Sep 25, 2005: First maintainer reply
  Sep 25, 2005: Maintainer provides fix
  Sep 29, 2005: Public disclosure


CREDIT
  N/A


LICENSE
  Creative Commons Attribution-ShareAlike License Germany
  http://creativecommons.org/licenses/by-sa/2.0/de/



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDOx0En6GkvSd/BgwRAu4MAKCFk8Qawjt5p5oG1NYJpbvb9S1P5wCfdhDx
KWCJsXrTsmDnB3zv9gN3Nec=
=+0J4
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ