Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Nameko Webmail Cross Site Scripting

🗓️ 29 Jun 2013 00:00:00Reported by Andrea MeninType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 24 Views

Nameko Webmail XSS Vulnerability on version <= 0.10.146, allows execution of arbitrary javascript through HTTP GET reques

Code
`* Nameko Webmail XSS Vulnerability on version <= 0.10.146  
* ========================================================  
*  
* Homepage: http://www.wizshelf.org/nameko/  
* Discovered by: Andrea Menin (base64 @: bWVuaW4uYW5kcmVhQGdtYWlsLmNvbQ==)  
* Follow me: http://www.linkedin.com/in/andreamenin  
*  
* ========================================================  
  
Introduction:  
-------------  
Nameko is a set of tools for working with e-mails in PHP.  
The core of Nameko is composed by a set of classes for  
retrieve mail from a POP3 server, and parsing them to  
get the body (both in plain text and HTML, if included)  
and the attachments. Is included the NamekoWebmail,   
that is a powerful webmail.  
  
  
  
Description:  
------------  
The XSS vulnerability is located on the credits page, where  
is possible to change the font size by an http get request  
(ex. fontsize=11). The "fontsize" variable write his content  
inside a <style> tag that is possible to break and execute  
any javascript inside a tag <script>.   
  
The URL for match the XSS, should be like (url-decoded):   
  
?fontsize=11pt;+}+</style><script>alert(document.cookie)</script><style>body+{+font-size:11  
  
  
  
  
XSS URL:  
--------  
http[s]://** victim host **/nameko.php?op=999&id=&colorset=VIOLET&fontsize=11%3B+%7D%3C%2Fstyle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cstyle%3EBODY+%7B+font-size%3A66  
  
or  
  
http[s]://** victim host **/?op=999&id=&colorset=VIOLET&fontsize=11%3B+%7D%3C%2Fstyle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cstyle%3EBODY+%7B+font-size%3A66  
  
  
  
  
Patch:  
------  
Is possible to patch this by make a check on the $_GET['FONTSIZE'] var,  
making sure that it is numeric only.  
  
// On file nameko.php (line 93):  
  
if($_GET[fontsize]) $_SESSION[FONTSIZE]=$_GET[fontsize];  
  
  
// should be replaced with something like that:  
  
if(preg_match('/^[0-9]{2,2}$/', $_GET[fontsize])) {  
$_SESSION[FONTSIZE]=$_GET[fontsize];  
} else {  
$_SESSION[FONTSIZE]=11;  
}  
  
  
  
  
CREDITS:  
---------  
  
This vulnerabilities has been discovered  
by Andrea Menin (base64 @: bWVuaW4uYW5kcmVhQGdtYWlsLmNvbQ==)  
  
  
LEGAL NOTICES:  
---------------  
The Author accepts no responsibility for any damage  
caused by the use or misuse of this information.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Jun 2013 00:00Current
nameko webmailxss vulnerabilityhttp get requestphpandrea meninsecurity patch
24