XSS in Horde IMP <=4.3.7, fetchmailprefs.php

2011-04-01 / 2011-04-02
Risk: Low
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 4.3/10
Impact Subscore: 2.9/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Horde IMP v4.3.7 and lower are subject to a cross site scripting (XSS) vulnerability: The fetchmailprefs.php script fails to properly sanitize user supplied input to the 'fm_id' URL parameter. If exploited, injected code will be persistent (persistent XSS) and will execute once the user (manually) accesses mail fetching preferences. The following URL can be used as a proof of concept: > [path_to_horde_imp]/fetchmailprefs.php?actionID=fetchmail_prefs_save&fm_ driver=imap&fm_id=zzz%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript% 3E%3Cx+y%3D%22&fm_protocol=pop3&fm_lmailbox=INBOX&save=Create Prior authentication to IMP is required for immediate exploitation. Follow-up authentication is also possible if the victims' IMP configuration has folder maintenance options disabled. This issue has been fixed by Jan Schneider of the Horde Project: > http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4. 10&r2=1.39.4.11 According to him, Horde IMP v4.3.8 (or a release candidate) which fixes this issue is to be released within the week. Release announcements will likely be communicated through http://lists.horde.org/mailman/listinfo/announce Credits for this discovery: Moritz Naumann Naumann IT Security Consulting, Berlin, Germany http://moritz-naumann.com Thanks for reading, Moritz -- Naumann IT Security Consulting Samariterstr. 16 10247 Berlin Germany Web http://moritz-naumann.com GPG http://moritz-naumann.com/keys/0x277F060C.asc 17FE F47E CE81 FC3A 8D6C 85A0 9FA1 A4BD 277F 060C Inhaber: Moritz Naumann &#183; StNr. 22/652/12010 &#183; USt-IdNr. DE266365097

References:

https://bugzilla.redhat.com/show_bug.cgi?id=641069
http://openwall.com/lists/oss-security/2010/10/01/6
http://openwall.com/lists/oss-security/2010/09/30/8
http://openwall.com/lists/oss-security/2010/09/30/7
http://lists.horde.org/archives/announce/2010/000558.html
http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.10&r2=1.39.4.11
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=598584
http://www.vupen.com/english/advisories/2011/0769
http://www.vupen.com/english/advisories/2010/2513
http://www.securityfocus.com/bid/43515
http://www.securityfocus.com/archive/1/archive/1/513992/100/0/threaded
http://www.debian.org/security/2011/dsa-2204
http://secunia.com/advisories/43896
http://secunia.com/advisories/41627
http://lists.horde.org/archives/announce/2010/000568.html
http://git.horde.org/diff.php/groupware/docs/webmail/CHANGES?rt=horde&r1=1.35.2.11&r2=1.35.2.13&ty=h
http://cvs.horde.org/diff.php/imp/docs/CHANGES?rt=horde&r1=1.699.2.424&r2=1.699.2.430&ty=h
http://archives.neohapsis.com/archives/fulldisclosure/2010-09/0379.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top