`Hi,
Horde IMP v4.3.7 and lower are subject to a cross site scripting (XSS)
vulnerability:
The fetchmailprefs.php script fails to properly sanitize user supplied
input to the 'fm_id' URL parameter. If exploited, injected code will be
persistent (persistent XSS) and will execute once the user (manually)
accesses mail fetching preferences.
The following URL can be used as a proof of concept:
> [path_to_horde_imp]/fetchmailprefs.php?actionID=fetchmail_prefs_save&fm_driver=imap&fm_id=zzz%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E%3Cx+y%3D%22&fm_protocol=pop3&fm_lmailbox=INBOX&save=Create
Prior authentication to IMP is required for immediate exploitation.
Follow-up authentication is also possible if the victims' IMP
configuration has folder maintenance options disabled.
This issue has been fixed by Jan Schneider of the Horde Project:
> http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.10&r2=1.39.4.11
According to him, Horde IMP v4.3.8 (or a release candidate) which fixes
this issue is to be released within the week. Release announcements will
likely be communicated through
http://lists.horde.org/mailman/listinfo/announce
Credits for this discovery:
Moritz Naumann
Naumann IT Security Consulting, Berlin, Germany
http://moritz-naumann.com
Thanks for reading,
Moritz
--
Naumann IT Security Consulting
Samariterstr. 16
10247 Berlin
Germany
Web http://moritz-naumann.com
GPG http://moritz-naumann.com/keys/0x277F060C.asc
17FE F47E CE81 FC3A 8D6C 85A0 9FA1 A4BD 277F 060C
Inhaber: Moritz Naumann · StNr. 22/652/12010 · USt-IdNr. DE266365097
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation