lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <s27je05kaj1sj8bk4ifltqk6tfp4gu4u1t@4ax.com>
From: roman at rs-labs.com (Roman Medina-Heigl Hernandez)
Subject: RS-2004-2: "Content-Type" XSS vulnerability affecting other webmail systems

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


  Hello,

  On 29.May.2004, I disclosed an important XSS vulnerability in latest
versions of a well-known webmail: SquirrelMail. Upon publication I
received the notice that other important webmails were also vulnerable
to the same bug. Indeed the same exploits released for SquirrelMail
worked without any changes in these systems. I decided to contact
several other webmail vendors and ask directly to check their software
and confirm or deny the vulnerability.

  The purpose of this brief advisory is to provide you with the
collected info in an objective and summarized way.

  PS: Sorry for the big delay.

 Saludos,
 --Roman

- --
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQOmPneR/in3q1WdCEQKHUQCfaNoy7mu+g0AKsK9LFiwVyT5zXJEAoIzW
h0imdE0FayaQLIFBiX47hpHW
=9k38
-----END PGP SIGNATURE-----

-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


          ===============================
           - RS-Labs Security Advisory -
          ===============================

  Tittle:   "Content-Type" XSS vulnerability affecting other webmail systems
      ID:   RS-2004-2
Severity:   Medium / High - Arbitrary tags injection in victim's browser context
    Date:   30.Jun.2004
  Author:   Rom?n Medina-Heigl Hern?ndez (a.k.a. RoMaNSoFt) <roman@...labs.com>
     URL:   http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-2.txt



.: [ SUMMARY ]

  On 29.May.2004, I disclosed an important XSS vulnerability in latest versions
of a well-known webmail: SquirrelMail. Upon publication I received the notice
that other important webmails were also vulnerable to the same bug. Indeed the
same exploits released for SquirrelMail worked without any changes in these
systems. I decided to contact several other webmail vendors and ask directly to
check their software and confirm or deny the vulnerability.

  The purpose of this brief advisory is to provide you with the collected info
in an objective and summarized way.



.: [ RESULTS ]

- - IMP 3.2.3 (from Horde project). Vulnerable.
"A new IMP version (3.2.4) that fixes this vulnerability has been released.
Thanks for working with us to reproduce this flaw and letting us know about
this security hole."
[Jan Schneider]
Solution: upgrade to release 3.2.4.

- - OpenWebmail 2.32. Vulnerable.
"This bug in openwebmail has already been fixed since openwebmail-2.32
20040603".
[Chung-Kie Tung]
Solution: upgrade to "openwebmail-current.tgz".

- - IlohaMail 0.8.12. Vulnerable.
"A vulnerability similar to the one you describe in your advisor was found
in IlohaMail some time ago, and was fixed on April 8th.  However, since
there has not been a release since then, the fix is currently only
available in CVS."
[Ryo Chijiiwa]
Solution: upgrade to release 0.8.13.

- - Sqwebmail 4.0.4. Vulnerable (to similar bug).
"Although sqwebmail did not have this content-type: vulnerability, versions
4.0.4 had a similar, related, cross-site scripting vulnerability when using
the "full headers" command, which was fixed in 4.0.5"
[Sam Varshavchik]
Solution: upgrade to release 4.0.5.

- - Camas. Not vulnerable.
"I tested the two exploits with Courier-IMAP as the IMAP server and it 
doesn't work (at least without modifications and lookup in the source 
code) and can't work for 3 reasons:
1) Camas IMAP client doesn't use BODYSTRUCTURE
2) Pike's MIME.Message object is quite picky and won't allow any strange 
content-type (tested with 7.6 and 7.2 which all Camas maintained 
versions used). Camas's IMAP client (which is everything except perfect) 
actually fail because of this (at least one good one point in it) so you 
can't read such a mail (but you can delete or move it).
3) Camas escapes any HTML/XHTML characters regarding content type and 
file name (btw can be interested to change the filename and check the 
result in SM...)"
[David Gourdelier]

- - BasiliX. Not vulnerable.
"Similar problems were reported in BasiliX-1.1.0 (and probably earlier
versions). When I took over maintenance of the project, between 1.1.0
and 1.1.1, some had been addressed and others hadn't. One of my first
priorities was to fix this problem. As far as I am aware, these issues
have been fixed in the latest stable release, BasiliX-1.1.1fix1, and in
the upcoming release 1.1.2. In fact the fix1 release was released very
quickly (within 24 hours) after 1.1.1 as a couple of XSS problems had
slipped the net.

As far as my tests go:

BasiliX-1.1.0 and earlier - vulnerable
BasiliX-1.1.1 (Nov 17 2003) - vulnerable
BasiliX-1.1.1_fix1 (Nov 18 2003) - not vulnerable
BasiliX cvs (and upcoming release) - not vulnerable"
[Mike Peters]

- - Hastymail. Not vulnerable.
Release 1.0 and current CVS are reported to be non-vulnerable.
" I am unable to duplicate the exploit with
hastymail, and I believe it to be secure against this particular attack. I
might also mention that hastymail uses NO javascript (one of our coding
guidelines) so users can disable it completely if need be."
[Jason Munro]

- - GatorMail. Not vulnerable.
"That said, I did a review and noticed that I missed a few on* events in  
html mail view which has been fixed in CVS and a hot fix has been  
applied to the only install of GatorMail I know of."
[Sandy McArthur]

- - JAWmail. Not vulnerable.
"JAWmail 2.0 and upward is not vulnerable to 'From address HTML code
insertion'. Also, JAWmail 1.x is not vulnerable. Same for Content-Type XSS bug."
[Rudi Benkovi?]
"I checked it against JAWmail 1.0.2 and it's save against this.
Since JAWmail uses imap_rfc822_write_address() for quite some while know to
generate a propper formatted output, I do not think that any older version is
vulnerable. I do not remember changing that part since I started with JAWmail
(was Version 0.9.18 I think)"
[Sebastian Dietz]

- - NS WebMail. Not vulnerable.
"Looking through my code, NS WebMail is not vulnerable (headers are
semi-"converted" using html entities before displaying).
However, there were dozens of other security concerns (even worse and
some more obvious) before 0.10.2, so in any case i urge my users to 
upgrade to that version."
[Alexandre Aufrere]



.: [ ACKNOWLEDGMENTS ]

  Some credits and thanks go to:

- - George Theall <theall@...aware.com> reported IMP 3.2.3 being vulnerable
- - Alejandro Ramos <aramosf@...ec.net> reported OpenWebmail 2.32 being vulnerable
- - Jan Schneider <jan@...de.org>. Horde (reported IMP 3.2.4 "fix" release)
- - Chuck Hagenbuch <chuck@...de.org>. Horde (fixed IMP code)
- - Chung-Kie Tung <openwebmail@...tle.ee.ncku.edu.tw>. OpenWebmail.
- - Sam Varshavchik <mrsam@...rier-mta.com>. SqWebmail
- - Xavier Beaudouin <kiwi@....net>. Camas
- - David Gourdelier <vida@...dium.net>. Camas
- - Ryo Chijiiwa <ryo@...hamail.org>. IlohaMail
- - Mike Peters <basilix@...2o.com>. BasiliX
- - Jason Munro <jason@...bev.com>. Hastymail
- - Sandy McArthur <Sandy@...rthur.org>. GatorMail
- - Rudi Benkovi? <rudi@...mail.org>. JAWmail
- - Sebastian Dietz <sebastian@...mail.org>. JAWmail.
- - Alexandre Aufrere <loopkin@...osoft.net>. NS WebMail



.: [ REFERENCES ]

* RS-2004-1 Advisory: SquirrelMail "Content-Type" XSS vulnerability
  http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt

* RoMaNSoFt's Research Labs
  http://www.rs-labs.com/

                    -=EOF=-

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQOmN5eR/in3q1WdCEQLZjgCdHAZUTgNdTgLNXykoK0bpDdGnijgAnjJk
RMBD19qs+/sUhvyM9PXCIh5p
=vk2N
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ