lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <45F89AB1.3030803@moritz-naumann.com>
Date: Thu, 15 Mar 2007 02:00:33 +0100
From: Moritz Naumann <security@...itz-naumann.com>
To: Full Disclosure <full-disclosure@...ts.grok.org.uk>,
	bugtraq@...urityfocus.com, moderators@...db.org
Cc: "security@...de.org" <security@...de.org>, admin@...erda.ch
Subject: Horde IMP Webmail Client version H3 (4.1.4) fixes multiple XSS issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Horde IMP Webmail Client version H3 (4.1.4) was released a few hours
ago. It contains fixes for 2 XSS issues (compared to 4.1.4 RC1).


1. Script injection through email subject lines in threaded view

Subject lines of emails, when displayed in vulnerable versions of IMP in
'multiple message view' (IMP core) or with the thread plugin, are not
properly sanitized.

An email with a custom crafted subject which may then be loaded in the
authenticated webmail session of the victim may inject malicious client
side scripting code (such as Javascript) or HTML and allow for XSS attacks.

Example:
Subject: <script>alert('XSS')</script>

The issue is found in thread.php.



2. Multiple XSS in search function

A victims' web browser, running a previously authenticated IMP session,
may be forced into loading a custom crafted URL pointing to the email
search function. The payload will cause the client side script code
contained in the specially crafted URL to be executed in the security
context of the domain the vulnerable copy of IMP is accessed through.
This allows for mounting XSS attacks.

There were several XSS issues in the search function which have been
fixed at the same time.

Example:
[Base_HREF]/horde/imp/search.php?edit_query=%22%3E%3Cscript%3Ealert%28'XSS'%29%3C/script%3E%3Cx=%22


Credit for discovering both issues and providing a patch for the first
one goes to
  Immerda Project Group
  http://www.immerda.ch
and
  Moritz Naumann
  http://moritz-naumann.com


The developers' release announcement can be found at:
  http://lists.horde.org/archives/announce/2007/000316.html

General information on this application is available at
  http://www.horde.org/imp/

Moritz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFF+Jqxn6GkvSd/BgwRAkL9AJ9kpIExrPk2OKfhD+XpGGxK4YQ0OgCfb4bG
8SBYyCJorZCpFALUdzqTUCo=
=W/aM
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ