Lucene search
K

Horde IMP 4.3.7 Cross Site Scripting

🗓️ 28 Sep 2010 00:00:00Reported by Moritz NaumannType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 43 Views

Horde IMP v4.3.7 XSS vulnerability fi

Code
`Hi,  
  
Horde IMP v4.3.7 and lower are subject to a cross site scripting (XSS)  
vulnerability:  
  
The fetchmailprefs.php script fails to properly sanitize user supplied  
input to the 'fm_id' URL parameter. If exploited, injected code will be  
persistent (persistent XSS) and will execute once the user (manually)  
accesses mail fetching preferences.  
  
The following URL can be used as a proof of concept:  
> [path_to_horde_imp]/fetchmailprefs.php?actionID=fetchmail_prefs_save&fm_driver=imap&fm_id=zzz%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%3Cx+y%3D%22&fm_protocol=pop3&fm_lmailbox=INBOX&save=Create  
  
Prior authentication to IMP is required for immediate exploitation.  
Follow-up authentication is also possible if the victims' IMP  
configuration has folder maintenance options disabled.  
  
This issue has been fixed by Jan Schneider of the Horde Project:  
> http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.10&r2=1.39.4.11  
  
According to him, Horde IMP v4.3.8 (or a release candidate) which fixes  
this issue is to be released within the week. Release announcements will  
likely be communicated through  
http://lists.horde.org/mailman/listinfo/announce  
  
Credits for this discovery:  
  
Moritz Naumann  
Naumann IT Security Consulting, Berlin, Germany  
http://moritz-naumann.com  
  
Thanks for reading,  
  
Moritz  
  
--   
Naumann IT Security Consulting  
Samariterstr. 16  
10247 Berlin  
Germany  
  
Web http://moritz-naumann.com  
GPG http://moritz-naumann.com/keys/0x277F060C.asc  
17FE F47E CE81 FC3A 8D6C 85A0 9FA1 A4BD 277F 060C  
  
Inhaber: Moritz Naumann · StNr. 22/652/12010 · USt-IdNr. DE266365097  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

28 Sep 2010 00:00Current
7.4High risk
Vulners AI Score7.4
43