Sqwebmail (http://www.inter7.com/sqwebmail/) is a web cgi client for sending and receiving email using Maildir mailboxes.
During a web application security evaluation on Sqwebmail 184.108.40.20640524 we have found a XSS (Cross Site Scripting) vulnerability inside the print_header_uc() function (from folder.c). This flaw can be exploited by a remote attacker using two vectors:
1) sending a raw email message with malformed headers, i.e. "<script>alert(document.location)</script>":
ashanti@dns:~$ telnet localhost 25 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. 220 x.x.x.x ESMTP helo foo 250 x.x.x.x mail from:<email@example.com> 250 ok rcpt to:<firstname.lastname@example.org> 250 ok data 354 go ahead <script>alert(document.location)</script> . [...]
This works only if Sqwebmail is configured to display the full headers (via prefences or via fullheaders cgi variable).
2) sending a raw email message with the MIME Content-Type header set to "message/delivery-status" with malformed content (see 1 above).
According to our fast examination of the source code, these are the only two calls to the vulnerable print_header_uc() fuction that take their argument from user input (i.e. from the content of email messages): since this function doesn't properly filter for "malicious" data (like '<', '>', '&', and so on), by sending a carefully-crafted email message an attacker is able to inject and execute arbitrary code in the client browser context -- this security flaw effectively enables an attacker to steal sensitive session information.
Inter7 and Sam Varshavchik (the author and current mantainer) were both contacted on June 11. On the same day, the author released Sqwebmail 4.0.5, that addresses the reported vulnerability. All Sqwebmail users are encouraged to upgrade to this latest version.
Luca Legato, OPST Web Application Security Tester @ Mediaservice.net Srl, Divisione Sicurezza Dati Via Raffaele Cadorna, 47 - 10137 Torino (TO) - IT Tel +39-011-32.72.100 Fax +39-011-32.46.497 Disclaimer: http://mediaservice.net/disclaimer