[UNIX] NOCC Contains Cross Site Scripting Vulnerabilities
From: support@securiteam.comDate: 10/21/02
- Previous message: support@securiteam.com: "[TOOL] Packet Excalibur, Network Packet Engine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: 21 Oct 2002 18:22:24 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
NOCC Contains Cross Site Scripting Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://nocc.sourceforge.net/> NOCC is a webmail client written in PHP.
It provides webmail access to IMAP and POP3 accounts. A security
vulnerability in the product allows remote attackers to cause it to return
aribtrary HTML and JavaScript to end users.
DETAILS
Vulnerable systems:
* NOCC version 0.9.5 and prior
NOCC has got several cross-site scripting holes when displaying e-mail
messages. They allow an attacker to take over a victim's e-mail account
and/or perform actions against the victim's will, by simply sending a
malicious e-mail message to the victim.
Technical details:
1) If the e-mail message's MIME type is text/plain, the program doesn't
remove any HTML code from the mail body. It is shown "live".
2) When the victim selects "View header", no HTML codes are removed from
mail headers like Subject and Date (yes, you can write whatever you like
in the Date header).
Vendor status:
The vendor was contacted on the 9th and the 10th of July. They haven't
released any official fixed version yet.
Unoffical patch:
Ulf wrote a patch for these security holes, and it is included in this
mail as an attachment. Ulf has patched it against version 0.9.5.
--- nocc-0.9.5/functions.php.old Sun Oct 20 00:12:34 2002
+++ nocc-0.9.5/functions.php Sun Oct 20 00:27:12 2002
@@ -213,7 +213,7 @@
'body' => $glob_body,
'body_mime' => $tmp['mime'],
'body_transfer' => $tmp['transfer'],
- 'header' => $header,
+ 'header' => htmlspecialchars($header),
'verbose' => $verbose,
'prev' => $prev_msg,
'next' => $next_msg
@@ -444,6 +444,7 @@
}
elseif (eregi('plain', $mime))
{
+ $body = htmlspecialchars($body);
$body =
eregi_replace("(http|https|ftp)://([a-zA-Z0-9+-=%&:_.~?]+[#a-zA-Z0-9+]*)","<a href=\"\\1://\\2\" target=\"_blank\">\\1://\\2</a>", $body);
$body =
eregi_replace("([#a-zA-Z0-9+-._]*)@([#a-zA-Z0-9+-_]*)\.([a-zA-Z0-9+-_.]+[#a-zA-Z0-9+]*)","<a href=\"$PHP_SELF?action=write&mail_to=\\1@\\2.\\3&lang=$lang\">\\1@\\2.\\3</a>", $body);
$body = nl2br($body);
ADDITIONAL INFORMATION
The information has been provided by <mailto:ulfh@update.uu.se> Ulf
Harnhammar.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] Packet Excalibur, Network Packet Engine"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
