| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.21.0209230223370.11346-100000@Tempo.Update.UU.SE> From: ulfh at update.uu.se (Ulf Harnhammar) Subject: JAWmail XSS JAWmail XSS PROGRAM: JAWmail VENDOR: Rudi Benkovic <rudi@...mail.org> et al. HOMEPAGE: http://www.jawmail.org/ VULNERABLE VERSIONS: 1.0-rc1, possibly others IMMUNE VERSIONS: 2.0-rc1 and later LOGIN REQUIRED: no SEVERITY: high DESCRIPTION: JAWmail (Just Another Web Mail) is a pretty ambitious web mail client project. It is written in PHP, and it is published under the GNU GPL. SUMMARY: There are several cross-site scripting holes in JAWmail that are triggered by reading incoming e-mail messages. An attacker can use them to take over a victim's e-mail account by simply sending certain malicious e-mails to the victim. TECHNICAL DETAILS: 1) Read Mail shows the names of attached files without cleaning those names (removing HTML elements). 2) text/html mails are not cleaned at all, when they are shown in a pop-up window. 3) When Read Mail displays text/html mails, they are cleaned with PHP's strip_tags() function with some appropriate parameters. This function removes evil HTML elements, but not nice HTML elements with evil HTML attributes, so you can still perform XSS attacks like: <b onMouseOver="alert(document.cookie)">bolder</b> // Ulf Harnhammar ulfh@...ate.uu.se http://www.metaur.nu/
Powered by blists - more mailing lists