SecurityvulnsSECURITYVULNS:DOC:10326Horde MIME Viewer vulnerability
Title : Cross-Site-Scripting Vulnerability in Horde IMP.
Date : November 17, 2005
Product : Horde MIME Viewer <3.0.7 vulnerability
Discovered by : Daniel Schreckling
Overview
The Horde [http://www.horde.org] Project comprises a set of Web-based productivity, messaging, and
project-management applications, each of which is described below. The Horde Framework is a common
code-base used by Horde applications, including libraries and a common user interface.
IMP [http://www.horde.org/imp/] is the Internet Messaging Program (formerly, among other things, the
IMAP webMail Program), a webmail system and a component of the Horde project. IMP is the most
widely-deployed component of Horde.
IMP offers most of the features users have come to expect from their conventional mail programs,
including attachments, spell-check, address books, multiple folders, and multiple-language support.
Among other features the Internet Messaging Program offers the possibility to display inline
attachments using so called MIME viewers. Due to a mishandling of these attachments in some viewers a
possible attacker can infiltrate arbitrary JavaScript code, delete messages, steal authentication or
session cookies etc.
Details
Due to security concerns Horde IMP and its internal MIME viewers respectively prevent to display inline
messages by default. As an example, HTML pages, that may contain malicious code are not displayed. It
goes one step further and filters these HTML pages when the display of these attachment is enforced by
the user, this is, possibly harmful client side code as <script> tags are deleted.
The same behavior is expected with files which were packed using gzip. However, The Horde Mime Viewer
erroneously handles gzip inline attachments differently. It simply unpacks (if supported by the server)
these files and displays them as inline code within IMP. Thus, if the compressed file contains malicious
code such as JavaScript a possible attacker is able to execute arbitrary code to manipulate the web
interface, delete messages or steal cookies.
Example:
- Copy <script>alert("Test");</script> into a file.
* Compress this file using gzip
* Send the file as an inline attachment to your email account
* Open the mail you received with your Horde application and
the message will popup.
The same effect can be observed when using other applications that produce intermediate formats.
Example:
- Before compressing the file in the last example, simply tar it and
proceed as you did before.
* Same effect.
Impact
Possible disclosure of user/session information and possible harm to the user due to
deleted/manipulated messages/address books.
This vulnerability is only exploitable if the vulnerable version of the Horde MIME viewer is used
together with a remotely accessible interface like Horde IMP.
Solution/workaround
As long as this glitch is unremedied the display of any inline message should be prevented (see
config/mime_drivers.php).
As an alternative the css and tgz MIME drivers can be disabled by removing them from the
$mime_drivers_map['horde']['registered'] list in horde/config/mime_drivers.php
Horde also provides two patches to remove this vulnerability. For more details please see the Horde
3.0.7 security release.
References
Horde
http://www.horde.org
Horde IMP
http://www.horde.org/imp/
Horde 3.0.7 security release
http://lists.horde.org/archives/announce/2005/000232.html
About Daniel Schreckling
Since 2004, Daniel Schreckling
(http://www.informatik.uni-hamburg.de/SVS/personnel/daniel/) is a member of the Research Unit "Security
in Distributed Systems" (http://www.informatik.uni-hamburg.de/SVS/) at the University of Hamburg.