Uebimiau 2.7.11 Cross Site Scripting / Open Redirection

`=============================================  
INTERNET SECURITY AUDITORS ALERT 2013-008  
- Original release date: March 15th, 2013  
- Last revised: March 20th, 2013  
- Discovered by: Manuel Garcia Cardenas  
- Severity: 4,8/10 (CVSS Base Score)  
- CVE-ID: CVE-2013-2621,  
CVE-2013-2622,  
CVE-2013-2623  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Multiple Vulnerabilities in Uebimiau <= 2.7.11  
  
II. BACKGROUND  
-------------------------  
UebiMiau is a webmail reader application supporting both IMAP and POP3  
protocols. It can be installed without dependence of any PHP's extra  
modules or a  
  
separate database. It is Open source software published under GNU  
General Public License (GPL).  
  
UebiMiau has not been developed since March 2006 and does not work with  
PHP 5.3 due to its use of deprecated functions. A new project, which is  
a forked  
  
reboot of UebiMiau based on the jimjag patches, named Telaen is an  
actively developed drop-in replacement.  
  
III. DESCRIPTION  
-------------------------  
Uebimiau 2.7.11 and lower versions contain a flaw that allows a remote  
redirection attack. This flaw exists because the application does not  
properly  
  
sanitise the file "redir.php". This allows an attacker to create a  
specially crafted URL, that if clicked, would redirect a victim from the  
intended  
  
legitimate web site to an arbitrary web site of the attacker's choice.  
  
Aditionaly, it has been detected a reflected XSS vulnerability in  
Uebimiau 2.7.11 and lower versions, that allows the execution of  
arbitrary HTML/JavaScript  
  
code to be executed in the context of the victim user's browser. The  
code injection is done through the parameter "f_email" in the page  
index.php and  
  
parameter "selected_theme" in the page error.php.  
  
IV. PROOF OF CONCEPT  
-------------------------  
REDIRECT:  
http://vulnerablesite.com/uebimiau/redir.php?http://www.malicious-site.com  
  
XSS 1:  
http://vulnerablesite.com/uebimiau/error.php?f_pass=blackybr&sess[auth]=1&selected_theme="><script>alert("XSS")</script>  
  
XSS 2:  
http://vulnerablesite.com/uebimiau/index.php?tid=default&lid=en_UK&f_email="><script>alert("XSS")</script>  
  
V. BUSINESS IMPACT  
-------------------------  
REDIRECT: An attacker can redirect any user to any malicious website.  
Below I have mentioned the vulnerable URL.  
  
XSS: An attacker can execute arbitrary HTML or JavaScript code in a  
targeted user's browser, this can leverage to steal sensitive  
information as user  
  
credentials, personal data, etc.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
All Versions of Uebimiau.  
  
VII. SOLUTION  
-------------------------  
REDIRECT AND XSS: All data received by the application and can be  
modified by the user, before making any kind of transaction with them  
must be validated.  
  
VIII. REFERENCES  
-------------------------  
http://www.uebimiau.org  
http://www.isecauditors.com  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered  
by Manuel Garcia Cardenas (mgarcia (at) isecauditors (dot) com).  
  
X. REVISION HISTORY  
------------------------  
March 15, 2013 1: Initial release  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
March 15, 2013: Vulnerability acquired by  
Internet Security Auditors (www.isecauditors.com)  
March 20, 2013: Sent to devel Manager.  
March 21, 2013: Answer. After 4 years of previous version, the  
developer  
will publish new patched version in 3 days!  
September 26, 2013: Ask to devel manager for feedback  
October 09, 2013: After some months without feedback, we do a  
full-disclosure  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with  
no warranties or guarantees of fitness of use or otherwise.  
Internet Security Auditors accepts no responsibility for any damage  
caused by the use or misuse of this information.  
  
XIII. ABOUT  
-------------------------  
Internet Security Auditors is a Spain based leader in web application  
testing, network security, penetration testing, security compliance  
implementation and assessing. Our clients include some of the largest  
companies in areas such as finance, telecommunications, insurance, ITC,  
etc. We are  
  
vendor independent provider with a deep expertise since 2001. Our  
efforts in R&D include vulnerability research, open security project  
collaboration and  
  
whitepapers, presentations and security events participation and  
promotion. For further information regarding our security services,  
contact us.  
  
XIV. FOLLOW US  
-------------------------  
You can follow Internet Security Auditors, news and security advisories at:  
https://www.facebook.com/ISecAuditors  
https://twitter.com/ISecAuditors  
http://www.linkedin.com/company/internet-security-auditors  
http://www.youtube.com/user/ISecAuditors  
`