lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3423.68.250.39.121.1138941327.squirrel@www.morx.org>
Date: Fri, 3 Feb 2006 04:35:27 -0000 (GMT)
From: simo@...x.org
To: bugtraq@...urityfocus.com
Subject: Neomail Cross Site Scripting Vulnerability


Title: Neomail Cross Site Scripting

Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
Discovered: 24 january 2005
Published: 02 february 2006
MorX Security Research Team
http://www.morx.org

Service: Webmail Perl Client

Vendor: neomail / www.neocodesolutions.com

Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks

Severity: Medium/High

Details:

NeoMail is a free open-source perl web-based e-mail client that can be
installed on any UNIX mail server that is also running a web server. With
thousands of installations worldwide, neomail has many features like
Sending/receiving messages with multiple attachments, inline image
attachment display Friendly, attractive, icon-based user interface,
multiple language support, including English, Spanish, German, French,
Hungarian, Italian, Dutch, Polish, Portuguese, Norwegian, Romanian,
Russian, Slovak, and more can be added easily ... configurable limits on
outgoing attachment size, folder disk usage, addressbook size... users can
import their address book from Outlook Express or Netscape Mail in CSV
format and more. neomail.pl is prone to cross-site scripting attacks. This
problem is due to a failure in the script to properly sanitize
user-supplied input. input can be passed in variable $date

Impact:

an attacker can exploit the vulnerable scripts to have arbitrary script
code executed in the browser of an authentified
neomail user in the context of the vulnerable website. resulting in the
theft of cookie-based authentication giving the
attacker full access to the victim's neomail email account as well as
other type of attacks.


Affected script with proof of concept exploit:

/neomail.pl?sessionid=XXXX-session-0.9565905XXXXXXXX&sort=date"><script>alert('vul')</script>&folder&action=displayheaders&firstmessage=1

Examples:

http://www.vulnerable-site.com/neomail.pl?sessionid=XXXX-session-0.9565905XXXXXXXX&sort=date"><script>alert('vul')</script>&folder=&action=displayheaders&firstmessage=1

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ