Telaen 1.3.0 XSS / Open Redirection / Disclosure

2013-06-04T00:00:00
ID PACKETSTORM:121871
Type packetstorm
Reporter Manuel Garcia Cardenas
Modified 2013-06-04T00:00:00

Description

                                        
                                            `=============================================  
INTERNET SECURITY AUDITORS ALERT 2013-009  
- Original release date: March 15th, 2013  
- Last revised: June 4th, 2013  
- Discovered by: Manuel Garcia Cardenas  
- Severity: 4,8/10 (CVSS Base Score)  
- CVE-ID: CVE-2013-2621,  
CVE-2013-2623,  
CVE-2013-2624  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Multiple Vulnerabilities in Telaen <= 1.3.0  
  
II. BACKGROUND  
-------------------------  
Telaen is a webmail reader application supporting both IMAP and POP3  
protocols. It can be installed without dependence of any PHP's extra  
modules or a separate database. It is Open source software published  
under GNU General Public License (GPL).  
  
The last version of Telaen is 1.3.0 released on January 2012.  
  
III. DESCRIPTION  
-------------------------  
Telaen 1.3.0 and lower versions contain a flaw that allows a remote  
redirection attack. This flaw exists because the application does not  
properly sanitise the file "redir.php". This allows an attacker to  
create a specially crafted URL, that if clicked, would redirect a  
victim from the intended legitimate web site to an arbitrary web site  
of the attacker's choice.  
  
Aditionaly, it has been detected a reflected XSS vulnerability in  
Telaen 1.3.0 and lower versions, that allows the execution of  
arbitrary HTML/JavaScript code to be executed in the context of the  
victim user's browser. The code injection is done through the  
parameter "f_email" in the page index.php.  
  
Due to the errors caused by the application Telaen 1.3.0 and lower  
versions, we can display the full webapp installation path.  
  
IV. PROOF OF CONCEPT  
-------------------------  
REDIRECT:  
http://vulnerablesite.com/telaen/redir.php?http://www.malicious-site.com  
  
XSS:  
http://vulnerablesite.com/telaen/index.php?tid=default&lid=en_UK&f_email="><script>alert("XSS")</script>  
  
FULL PATH DISCLOSURE: http://vulnerablesite.com/telaen/inc/init.php  
  
V. BUSINESS IMPACT  
-------------------------  
REDIRECT: An attacker can redirect any user to any malicious website.  
Below I have mentioned the vulnerable URL.  
  
XSS: An attacker can execute arbitrary HTML or JavaScript code in a  
targeted user's browser, this can leverage to steal sensitive  
information as user credentials, personal data, etc.  
  
FULL PATH DISCLOSURE: An attacker can obtain the full path to the  
applitation and if the webroot is getting leaked, attackers may abuse  
the knowledge and use it in combination with file inclusion  
vulnerabilites to steal configuration files regarding the web  
application or the rest of the operating system.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Versions of Telaen < v1.3.1.  
  
VII. SOLUTION  
-------------------------  
REDIRECT AND XSS: All data received by the application and can be  
modified by the user, before making any kind of transaction with them  
must be validated.  
  
FULL PATH DISCLOSURE: Turn off display errors in the configuration and  
unify the error pages.  
  
VIII. REFERENCES  
-------------------------  
http://www.telaen.com  
http://www.isecauditors.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered  
by Manuel Garcia Cardenas (mgarcia (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
------------------------  
March 15, 2013: Initial release.  
June 4, 2013: Last release  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
March 15, 2013: Vulnerability acquired by  
Internet Security Auditors (www.isecauditors.com)  
March 20, 2013: Sent to Devel Team.  
March 28, 2013: Schedule for new version.  
April 4, 2013: New version published.  
June 3, 2013: Advisory sent to lists.  
  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is"  
with no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors accepts no responsibility for any damage  
caused by the use or misuse of this information.  
  
XIII. ABOUT  
-------------------------  
Internet Security Auditors is a Spain based leader in web application  
testing, network security, penetration testing, security compliance  
implementation and assessing. Our clients include some of the largest  
companies in areas such as finance, telecommunications, insurance,  
ITC, etc. We are vendor independent provider with a deep expertise  
since 2001. Our efforts in R&D include vulnerability research, open  
security project collaboration and whitepapers, presentations and  
security events participation and promotion. For further information  
regarding our security services, contact us.  
  
XIV. FOLLOW US  
-------------------------  
You can follow Internet Security Auditors, news and security  
advisories at:  
https://www.facebook.com/ISecAuditors  
https://twitter.com/ISecAuditors  
http://www.linkedin.com/company/internet-security-auditors  
http://www.youtube.com/user/ISecAuditors  
`