lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.21.0210201919160.28852-200000@Tempo.Update.UU.SE>
From: ulfh at update.uu.se (Ulf Harnhammar)
Subject: NOCC: XSS

NOCC: XSS


PROGRAM: NOCC
VENDOR: Olivier Cahagne et al.
HOMEPAGE: http://nocc.sourceforge.net/
VULNERABLE VERSIONS: 0.9.5, possibly others
IMMUNE VERSIONS: 0.9.5 with my patch applied
SEVERITY: high
LOGIN REQUIRED: no


DESCRIPTION:

"NOCC is a simple and fast Web-based e-mail reader which can handle
POP3, SMTP, and IMAP servers. It is written with PHP4, and uses
sessions, has low requirements (no database, frames), and is easy
to install. It also features multi-language support, MIME attachment
decoding/encoding, and the ability to display HTML messages."

(direct quote from the program's project page at Freshmeat)

NOCC is published under the terms of the GNU General Public
License. It is one of the packages in Debian GNU/Linux and one of
FreeBSD's ports.


SUMMARY:

NOCC has got several cross-site scripting holes when displaying
e-mail messages. They allow an attacker to take over a victim's
e-mail account and/or perform actions against the victim's will,
by simply sending a malicious e-mail message to the victim.


TECHNICAL DETAILS:

1) If the e-mail message's MIME type is text/plain, the program
doesn't remove any HTML code from the mail body. It is shown "live".

2) When the victim selects "View header", no HTML codes are removed
from mail headers like Subject and Date (yes, you can write whatever
you like in the Date header).


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 9th and the 10th of July. They
haven't released any official fixed version yet.


MY PATCH:

I wrote a patch for these security holes, and it is included in
this mail as an attachment. I have patched against version 0.9.5.


// Ulf Harnhammar
   VSU Security
   ulfh@...ate.uu.se


"I saw the worst minds of my generation / getting their political
 information from tabloids / listening to Savage Garden's greatest
 hits / getting married and having kids at 25 just 'cause the
 neighbours did / and building the worst administrative web-based
 members interface ever known to man" (To B.)

-------------- next part --------------
--- nocc-0.9.5/functions.php.old	Sun Oct 20 00:12:34 2002
+++ nocc-0.9.5/functions.php	Sun Oct 20 00:27:12 2002
@@ -213,7 +213,7 @@
 		'body' => $glob_body,
 		'body_mime' => $tmp['mime'],
 		'body_transfer' => $tmp['transfer'],
-		'header' => $header,
+		'header' => htmlspecialchars($header),
 		'verbose' => $verbose,
 		'prev' => $prev_msg,
 		'next' => $next_msg
@@ -444,6 +444,7 @@
 	}
 	elseif (eregi('plain', $mime))
 	{
+		$body = htmlspecialchars($body);
 		$body = eregi_replace("(http|https|ftp)://([a-zA-Z0-9+-=%&:_.~?]+[#a-zA-Z0-9+]*)","<a href=\"\\1://\\2\" target=\"_blank\">\\1://\\2</a>", $body);
 		$body = eregi_replace("([#a-zA-Z0-9+-._]*)@([#a-zA-Z0-9+-_]*)\.([a-zA-Z0-9+-_.]+[#a-zA-Z0-9+]*)","<a href=\"$PHP_SELF?action=write&amp;mail_to=\\1@\\2.\\3&amp;lang=$lang\">\\1@\\2.\\3</a>", $body);
 		$body = nl2br($body);

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ