neomailXSS.txt

2006-02-04T00:00:00
ID PACKETSTORM:43584
Type packetstorm
Reporter _6mO_HaCk
Modified 2006-02-04T00:00:00

Description

                                        
                                            `Title: Neomail Cross Site Scripting  
  
Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>  
Discovered: 24 january 2005  
Published: 02 february 2006  
MorX Security Research Team  
http://www.morx.org  
  
Service: Webmail Perl Client  
  
Vendor: neomail / www.neocodesolutions.com  
  
Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks  
  
Severity: Medium/High  
  
Details:  
  
NeoMail is a free open-source perl web-based e-mail client that can be  
installed on any UNIX mail server that is also running a web server. With  
thousands of installations worldwide, neomail has many features like  
Sending/receiving messages with multiple attachments, inline image  
attachment display Friendly, attractive, icon-based user interface,  
multiple language support, including English, Spanish, German, French,  
Hungarian, Italian, Dutch, Polish, Portuguese, Norwegian, Romanian,  
Russian, Slovak, and more can be added easily ... configurable limits on  
outgoing attachment size, folder disk usage, addressbook size... users can  
import their address book from Outlook Express or Netscape Mail in CSV  
format and more. neomail.pl is prone to cross-site scripting attacks. This  
problem is due to a failure in the script to properly sanitize  
user-supplied input. input can be passed in variable $date  
  
Impact:  
  
an attacker can exploit the vulnerable scripts to have arbitrary script  
code executed in the browser of an authentified  
neomail user in the context of the vulnerable website. resulting in the  
theft of cookie-based authentication giving the  
attacker full access to the victim's neomail email account as well as  
other type of attacks.  
  
  
Affected script with proof of concept exploit:  
  
/neomail.pl?sessionid=XXXX-session-0.9565905XXXXXXXX&sort=date"><script>alert('vul')</script>&folder&action=displayheaders&firstmessage=1  
  
Examples:  
  
http://www.vulnerable-site.com/neomail.pl?sessionid=XXXX-session-0.9565905XXXXXXXX&sort=date"><script>alert('vul')</script>&folder=&action=displayheaders&firstmessage=1  
  
Disclaimer:  
  
this entire document is for eductional, testing and demonstrating purpose  
only. Modification use and/or publishing this information is entirely on  
your OWN risk. The information provided in this advisory is to be  
used/tested on your OWN machine/Account. I cannot be held responsible for  
any of the above.  
`