Re: [qmailadmin] Qmailadmin login page vulnerable to XSS

[Tom Collins]

On Jan 23, 2005, at 8:23 AM, David Chaplin-Loebell wrote:
I've been meaning to mention for a while now that the "domain" field  
(at minimum) in the qmailadmin login form is vulnerable to cross-site  
scripting attacks via get.

For example, try this link:
http://mail.inter7.com/cgi-bin/qmailadmin? 
domain='")<script>alert('This%20script%20is%20vulnerable%20to%20XSS')</ 
script>

While this is probably only a minor security problem, it seems like  
something that ought to be fixed.  I unfortunately don't have the  
knowledge necessary to patch it (I don't speak C).
Easy solution.  Upgrade to 1.2.4.  Excerpt from 1.2.4's ChangeLog:
- Add printh.c, new routines for generating HTML-safe and CGI-safe
  strings.
- Changes to almost all .c and .html files to make use of printh
  routines.  QmailAdmin should now properly handle email addresses
  that contain special characters (like '+' and '&'), including
  domain admin addresses.  It now also escapes user-supplied text
  to avoid possible HTML-insertion and cross site scripting attacks.
So, I tried your example on my server and found that it still popped a  
dialog box!  Further investigation showed that some vpopmail code (in  
vlimits.c) was printing an error message that included the string.

Here's a patch for vlimits.c to fix that.  It will be in the next  
vpopmail release.  It looks like we need to go through and change a lot  
more printfs in vpopmail to go to stderr as well.

(word wrapping may break the patch -- you may need to make the changes  
manually)

--- vlimits.c   12 Dec 2003 16:10:58 -0000      1.10
+++ vlimits.c   23 Jan 2005 17:05:04 -0000      1.10.2.1
@@ -288,7 +288,7 @@
     /* extract the dir, uid, gid of the domain */
     if (vget_assign(mydomain, dir, sizeof(dir), &uid, &gid) == NULL) {
-      printf ("Error. Domain %s was not found in the assign file\n",  
mydomain);
+      fprintf (stderr, "Error. Domain %s was not found in the assign  
file\n", mydomain);
       return (-1);
     }

@@ -332,7 +332,7 @@
     /* get the dir, uid and gid of the nominated domain */
     if (vget_assign(mydomain, dir, sizeof(dir), &uid, &gid) == NULL) {
-      printf ("Error. Domain %s was not found in the assign  
file\n",mydomain);
+      fprintf (stderr, "Error. Domain %s was not found in the assign  
file\n",mydomain);
       return(-1);
     }

Recompile vpopmail, upgrade to qmailadmin 1.2.4 or later, and it will  
take care of the XSS vulnerability.

--
Tom Collins  -  [EMAIL PROTECTED]
QmailAdmin: http://qmailadmin.sf.net/  Vpopmail: http://vpopmail.sf.net/
Info on the Sniffter hand-held Network Tester: http://sniffter.com/