Uebimiau 2.7.11 Cross Site Scripting Vulnerability

=============================================
INTERNET SECURITY AUDITORS ALERT 2013-008
- Original release date: March 15th, 2013
- Last revised:  March 20th, 2013
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,8/10 (CVSS Base Score)
- CVE-ID: CVE-2013-2621,
          CVE-2013-2622,
          CVE-2013-2623
=============================================

I. VULNERABILITY
-------------------------
Multiple Vulnerabilities in Uebimiau <= 2.7.11

II. BACKGROUND
-------------------------
UebiMiau is a webmail reader application supporting both IMAP and POP3
protocols. It can be installed without dependence of any PHP's extra
modules or a

separate database. It is Open source software published under GNU
General Public License (GPL).

UebiMiau has not been developed since March 2006 and does not work with
PHP 5.3 due to its use of deprecated functions. A new project, which is
a forked

reboot of UebiMiau based on the jimjag patches, named Telaen is an
actively developed drop-in replacement.

III. DESCRIPTION
-------------------------
Uebimiau 2.7.11 and lower versions contain a flaw that allows a remote
redirection attack. This flaw exists because the application does not
properly

sanitise the file "redir.php".  This allows an attacker to create a
specially crafted URL, that if clicked, would redirect a victim from the
intended

legitimate web site to an arbitrary web site of the attacker's choice.

Aditionaly, it has been detected a reflected XSS vulnerability in
Uebimiau 2.7.11 and lower versions, that allows the execution of
arbitrary HTML/JavaScript

code to be executed in the context of the victim user's browser. The
code injection is done through the parameter "f_email" in the page
index.php and

parameter "selected_theme" in the page error.php.

IV. PROOF OF CONCEPT
-------------------------
REDIRECT:
http://vulnerablesite.com/uebimiau/redir.php?http://www.malicious-site.com

XSS 1:
http://vulnerablesite.com/uebimiau/error.php?f_pass=blackybr&sess[auth]=1&selected_theme="><script>alert("XSS")</script>

XSS 2:
http://vulnerablesite.com/uebimiau/index.php?tid=default&lid=en_UK&f_email="><script>alert("XSS")</script>

V. BUSINESS IMPACT
-------------------------
REDIRECT: An attacker can redirect any user to any malicious website.
Below I have mentioned the vulnerable URL.

XSS: An attacker can execute arbitrary HTML or JavaScript code in a
targeted user's browser, this can leverage to steal sensitive
information as user

credentials, personal data, etc.

VI. SYSTEMS AFFECTED
-------------------------
All Versions of Uebimiau.

VII. SOLUTION
-------------------------
REDIRECT AND XSS: All data received by the application and can be
modified by the user, before making any kind of transaction with them
must be validated.

VIII. REFERENCES
-------------------------
http://www.uebimiau.org
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Manuel Garcia Cardenas (mgarcia (at) isecauditors (dot) com).

X. REVISION HISTORY
------------------------
March   15, 2013 1: Initial release

XI. DISCLOSURE TIMELINE
-------------------------
March     15, 2013: Vulnerability acquired by
                    Internet Security Auditors (www.isecauditors.com)
March     20, 2013: Sent to devel Manager.
March     21, 2013: Answer. After 4 years of previous version, the
developer
                    will publish new patched version in 3 days!
September 26, 2013: Ask to devel manager for feedback
October   09, 2013: After some months without feedback, we do a
full-disclosure

#  0day.today [2018-03-14]  #