[UNIX] SquirrelMail XSS Vulnerabilities

From: support@securiteam.com
Date: 12/08/02

  • Next message: support@securiteam.com: "[UNIX] SAP Database Local Root via Symlink" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 8 Dec 2002 22:07:40 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      SquirrelMail XSS Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

    SquirrelMail can be caused to insert the scripting malicious JavaScript
    and HTML code, while it displays incoming emails. This is due to the fact
    that read_body.php does not filter incoming users input of the `mailbox'
    and `passed_id' variables.

    DETAILS

    Vulnerable systems:
     * SquirrelMail version 1.2.9 and prior
     * SquirrelMail version 1.2.10

    Example:
    http://hostname/src/read_body.php?mailbox=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&passed_id=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&startMessage=1&show_more=0

    Vendor response:
    (To the author)
    Thank you for pointing this out. We would have been a lot more grateful if
    you had notified us of this issue prior to releasing the post, and it
    would have been fixed in our 1.2.10 release, which as you pointed out was
    released just yesterday. The lack of forward notification is frustrating,
    and it would have been nice to have heard earlier.

    Next time any issues such as this arise, please feel free to contact the
    project administrators/leaders (such as myself), which can all be found
    listed on <http://www.squirrelmail.org/about.php>
    http://www.squirrelmail.org/about.php.

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:just-a-user@yandex.ru>
    euronymous.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.