[imp] JS injection in Horde IMP 2.2.7
datan@seas.upenn.edu
datan@seas.upenn.edu
Thu, 22 Aug 2002 01:11:52 -0400 (EDT)
Hi,
My school uses IMP 2.2.7 (but I think 2.2.8 is vulnerable as well
looking at the source codes). (In addition, 2.2.7 is known to be vulnerable to
CSS attacks.)
Playing around with it, I noticed two ways of injecting javascript into
the html documents generated.
1. view source - does not check that the header or the body does not have
html tags. Most people don't view their message source, but I do when I get
messages from worms.
2. status.php contains a javascript that alerts the user when new messages
arrive. if the subject is
")</script><script> ... </script>
then the code is run. You can send this email when you are sure that the victim
is logged onto IMP & reading his email.
It would then be possible to steal the session cookie.
As a courtesy, I'll post this to security lists when an updated version is
available. Please let me know if these have been patched in 2.2.8 (there
was no mention under SECURITY changes).
Thanks,
Daniel Tan