[ISecAuditors Security Advisories] XSS vulnerability in error page of ISMail

2006-12-05T00:00:00

Description

============================================= INTERNET SECURITY AUDITORS ALERT 2006-010 - Original release date: September 28, 2006 - Last revised: December 1, 2006 - Discovered by: Vicente Aguilera Diaz - Severity: 3/5 ============================================= I. VULNERABILITY ------------------------- XSS vulnerability in error page of ISMail. II. BACKGROUND ------------------------- ISMail is a webmail system. Programmed in HTML and PHP, it is designed to work with any imap server. ISMail requires that PHP 4.2+, compiled with and IMAP and Session support, be installed on the server that runs it. You have a choice of data-store backends (xml, encrypted xml, mysql, and postgresql are included, each requiring their respective PHP modules), and miscellaneous other options that can make the Inside Systems Mail experience a little friendlier. Unlike most other webmail programs, Inside Systems Mail is both quick and easy to use. The layout, complete with address book and folder options, is simple and familiar to most users. For administrators, the data-stores and options are easily extensible so that Inside Systems Mail can be dropped in nearly any configuration with minimal extra coding. The product homepage is: http://www.insidesystems.net/projects/project.php?projectid=4 III. DESCRIPTION ------------------------- The error page "error.php" receives a parameter facilitated in the querystring that shows the error message. This parameter ("error") can be manipulated by an attacker to inject arbitrary script/HTML code. This is dangerous because it's possible to realize XSS's attacks to obtain the session cookies of authenticated users and to spoof his session, or deface the error page. IV. PROOF OF CONCEPT ------------------------- Example of XSS attack: http://<webserver>/<path_to_ismail>/error.php?error=XSS%20attack%3Cscript%3Ealert(document.cookie);%3C/script%3E V. BUSINESS IMPACT ------------------------- An attacker can spoof the session of other authenticated users allowing to access to his mail, or deface the error page. VI. SYSTEMS AFFECTED ------------------------- This vulnerability has been tested in the last version of ISMail (2.0, released on 2005-01-20) Possibly all versions are affected by this vulnerability. VII. SOLUTION ------------------------- Update version from the repository. VIII. REFERENCES ------------------------- http://www.insidesystems.net/projects/project.php?projectid=4 IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Vicente Aguilera Diaz (vaguilera=at=isecauditors=dot=com). X. REVISION HISTORY ------------------------- September 28, 2006: Initial release. XI. DISCLOSURE TIMELINE ------------------------- September 27, 2006 Vulnerability acquired by Vicente Aguilera Diaz Internet Security Auditors (www.isecauditors.com) September 28, 2006 Initial vendor notification sent. October 1, 2006 The vendor fixed the vulnerability in the repository. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.

{"id": "SECURITYVULNS:DOC:15300", "bulletinFamily": "software", "title": "[ISecAuditors Security Advisories] XSS vulnerability in error page of ISMail", "description": "=============================================\r\nINTERNET SECURITY AUDITORS ALERT 2006-010\r\n- Original release date: September 28, 2006\r\n- Last revised: December 1, 2006\r\n- Discovered by: Vicente Aguilera Diaz\r\n- Severity: 3/5\r\n=============================================\r\n\r\nI. VULNERABILITY\r\n-------------------------\r\nXSS vulnerability in error page of ISMail.\r\n\r\nII. BACKGROUND\r\n-------------------------\r\nISMail is a webmail system. Programmed in HTML and PHP, it is designed\r\nto work with any imap server. ISMail requires that PHP 4.2+, compiled\r\nwith and IMAP and Session support, be installed on the server that\r\nruns it. You have a choice of data-store backends (xml, encrypted\r\nxml, mysql, and postgresql are included, each requiring their\r\nrespective PHP modules), and miscellaneous other options that can make\r\nthe Inside Systems Mail experience a little friendlier. Unlike most\r\nother webmail programs, Inside Systems Mail is both quick and easy to\r\nuse. The layout, complete with address book and folder options, is\r\nsimple and familiar to most users. For administrators, the\r\ndata-stores and options are easily extensible so that Inside Systems\r\nMail can be dropped in nearly any configuration with minimal extra coding.\r\n\r\nThe product homepage is:\r\nhttp://www.insidesystems.net/projects/project.php?projectid=4\r\n\r\nIII. DESCRIPTION\r\n-------------------------\r\nThe error page "error.php" receives a parameter facilitated in the\r\nquerystring that shows the error message.\r\n\r\nThis parameter ("error") can be manipulated by an attacker to inject\r\narbitrary script/HTML code.\r\n\r\nThis is dangerous because it's possible to realize XSS's attacks to\r\nobtain the session cookies of authenticated users and to spoof his\r\nsession, or deface the error page.\r\n\r\nIV. PROOF OF CONCEPT\r\n-------------------------\r\nExample of XSS attack:\r\nhttp://<webserver>/<path_to_ismail>/error.php?error=XSS%20attack%3Cscript%3Ealert(document.cookie);%3C/script%3E\r\n\r\nV. BUSINESS IMPACT\r\n-------------------------\r\nAn attacker can spoof the session of other authenticated users\r\nallowing to access to his mail, or deface the error page.\r\n\r\nVI. SYSTEMS AFFECTED\r\n-------------------------\r\nThis vulnerability has been tested in the last version of ISMail (2.0,\r\nreleased on 2005-01-20)\r\nPossibly all versions are affected by this vulnerability.\r\n\r\nVII. SOLUTION\r\n-------------------------\r\nUpdate version from the repository.\r\n\r\nVIII. REFERENCES\r\n-------------------------\r\nhttp://www.insidesystems.net/projects/project.php?projectid=4\r\n\r\nIX. CREDITS\r\n-------------------------\r\nThis vulnerability has been discovered and reported by\r\nVicente Aguilera Diaz (vaguilera=at=isecauditors=dot=com).\r\n\r\nX. REVISION HISTORY\r\n-------------------------\r\nSeptember 28, 2006: Initial release.\r\n\r\nXI. DISCLOSURE TIMELINE\r\n-------------------------\r\nSeptember 27, 2006 Vulnerability acquired by Vicente Aguilera Diaz\r\n Internet Security Auditors (www.isecauditors.com)\r\nSeptember 28, 2006 Initial vendor notification sent.\r\nOctober 1, 2006 The vendor fixed the vulnerability in the\r\n repository.\r\n\r\nXII. LEGAL NOTICES\r\n-------------------------\r\nThe information contained within this advisory is supplied "as-is"\r\nwith no warranties or guarantees of fitness of use or otherwise.\r\nInternet Security Auditors, S.L. accepts no responsibility for any\r\ndamage caused by the use or misuse of this information.", "published": "2006-12-05T00:00:00", "modified": "2006-12-05T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:15300", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:20", "edition": 1, "viewCount": 12, "enchantments": {"score": {"value": 2.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6888"]}], "rev": 4}, "backreferences": {"references": [{"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:6888"]}]}, "exploitation": null, "vulnersScore": 2.0}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645581572}}