[SNS Advisory No.54] Active! mail Executing the Script upon the Opening of a Mail Message Vulnerability

From: snsadv@lac.co.jp
Date: 06/13/02

• Previous message: Patrick Smith: "simpleinit root exploit - file descriptor left open"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 13 Jun 2002 14:31:43 +0900
From: "snsadv@lac.co.jp" <snsadv@lac.co.jp>
To: bugtraq@securityfocus.com

----------------------------------------------------------------------
SNS Advisory No.54
Active! mail Executing the Script upon the Opening of a Mail Message Vulnerability

Problem first discovered: Fri, 31 May 2002
Published: Wed, 13 June 2002
----------------------------------------------------------------------

Overview:
---------
  Active! mail displays messages without converting them properly when
  a specific e-mail header contains HTML tags.

Problem Description:
--------------------
  Active! mail developed and distributed by TransWARE Co.,
  (http://www.transware.co.jp/), is a web-based e-mail system.
  Active! mail displays messages without converting them properly when
  a specific e-mail header contains HTML tags. If for example, a user
  receives an e-mail embedding a malicious <script> tag in the header,
  this script will run upon opening the e-mail message. Exploitation
  could result in the disclosure of the user's cookie information and
  in the possibility for an attacker to misuse the Web mail system.

Tested Versions:
----------------
  Active! mail 1.422
  Active! mail 2.0

Solution:
---------
  This problem can be eliminated by updating to Active! mail ver.2.0.1.1,
  which is available at:

  http://www.transware.co.jp/active/download/am_download.html

Discovered by:
--------------
  Keigo Yamazaki (LAC)

Disclaimer:
-----------
All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information.

------------------------------------------------------------------
SecureNet Service(SNS) Security Advisory <snsadv@lac.co.jp>
Computer Security Laboratory, LAC http://www.lac.co.jp/security/

---

• Previous message: Patrick Smith: "simpleinit root exploit - file descriptor left open"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Why does database not open to the last record visited ... Marc-Andre it sounds like yours is doing the same thing as mine. ... I'm not opening the file from a machine that is not the file's host, ... install FMP; or, is this really something innate with FMP8. ... rather than having to have a script and relationship in every database ... (comp.databases.filemaker) Re: [kde] slow script execution in konqueror ... executing the same script from a terminal. ... While opening a file by clicking on its icon takes 6-7 seconds, ... Kevin Krammer, KDE developer, xdg-utils developer ... (KDE) Re: Read from keyboard ... > means opening in it the designated application. ... The script I showed you definitely runs. ... I'm clueless as to why I get the error message of a nonexistent pipe. ... I get the expected output of: ... (comp.lang.perl.misc) Re: Open All files one by one ... perl. ... I would like the script to open all .txt files read out some data ... The only part I am stuck on is the opening ... use strict; ... (comp.lang.perl.misc) newsletter software ... I'm developing a software to send newsletter to the users of my ... I have a problem on the stats, detecting the opening of the ... The script "detectscript.php" uses the email-id passed to save the ... the response and send it out to the client. ... (comp.lang.php)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(18)