[UNIX] Sqwebmail Cross Site Scripting
From: SecuriTeam (support_at_securiteam.com)
Date: 06/22/04
- Previous message: SecuriTeam: "[UNIX] GNU Radius SNMP DoS (Invalid OID)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 22 Jun 2004 19:16:56 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Sqwebmail Cross Site Scripting
------------------------------------------------------------------------
SUMMARY
" <http://www.inter7.com/index.php?page=sqwebmail> SqWebMail is a web CGI
client for sending and receiving E-mail using Maildir mailboxes. SqWebMail
DOES NOT support traditional Mailbox files, only Maildirs."
A cross site scripting vulnerability have been found in SqWebMail. A
malicious user can inject script code that will run in the context of a
user viewing an Email through the CGI system by using the script code as
the SMTP mail headers when sending Email or as the
"message/delivery-status" content type header value.
DETAILS
Vulnerable Systems:
* Sqwebmail version 4.0.4.20040524
Immune Systems:
* Sqwebmail 4.0.5
In order to inject script code into the system, the following SMTP
negotiation can take place:
$ telnet localhost 25
Trying x.x.x.x...
Connected to x.x.x.x.
Escape character is '^]'.
220 x.x.x.x ESMTP
helo foo
250 x.x.x.x
mail from:<test@test.com>
250 ok
rcpt to:<user@mediaservice.net>
250 ok
data
354 go ahead
<scr!pt>alert(document.location)</scr!pt>
.
[...]
Note: This works only if Sqwebmail is configured to display the full
headers (via prefences or via fullheaders cgi variable). Another
alternative is to send a raw Email message with the MIME Content-Type
header set to "message/delivery-status" with malformed content, much like
the script tag presented in the above example.
The vulnerable code is located within the print_header_uc() function in
'folder.c'. Upon examination of the code it was found that there are only
two calls to the vulnerable function. However, that is more than enough
since the function does not filter special characters such as angle
brackets. By sending a specially crafted Email message, an attacker is
able to invoke cross site scripting code with all possible ramifications.
Vendor Status:
The vendors (author and current maintainer) were informed and a new
version was released the same day which fixes the vulnerability.
ADDITIONAL INFORMATION
The information has been provided by
<mailto:luca.legato@mediaservice.net> Luca Legato.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[UNIX] GNU Radius SNMP DoS (Invalid OID)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
