[imp] JS injection in Horde IMP 2.2.7

datan@seas.upenn.edu datan@seas.upenn.edu
Thu, 22 Aug 2002 01:11:52 -0400 (EDT)


Hi,
My school uses IMP 2.2.7 (but I think 2.2.8 is vulnerable as well
looking at the source codes). (In addition, 2.2.7 is known to be vulnerable to 
CSS attacks.)

Playing around with it, I noticed two ways of injecting javascript into 
the html documents generated.

1. view source - does not check that the header or the body does not have 
html tags. Most people don't view their message source, but I do when I get 
messages from worms.

2. status.php contains a javascript that alerts the user when new messages 
arrive. if the subject is 

")</script><script> ... </script>

then the code is run. You can send this email when you are sure that the victim 
is logged onto IMP & reading his email.

It would then be possible to steal the session cookie.

As a courtesy, I'll post this to security lists when an updated version is 
available. Please let me know if these have been patched in 2.2.8 (there 
was no mention under SECURITY changes).


Thanks,
Daniel Tan