[imp] JS injection in Horde IMP 2.2.7

datan@seas.upenn.edu datan@seas.upenn.edu
Thu, 22 Aug 2002 06:08:58 -0400 (EDT)

Previous message: [imp] JS injection in Horde IMP 2.2.7
Next message: [imp] JS injection in Horde IMP 2.2.7
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You do know, that products with security vulnerabilities in earlier 
versions often have the same vulnerability in later versions, unless 
explicitly fixed:


---------------
imp-3.1/view.php3:

 case VIEW_SOURCE:
     $msg = imap_fetchheader($imp['stream'], $index, FT_UID) . "\n" . imap_body
($imp['stream'], $index, FT_UID);
     header('Content-Type: text/plain');
     header('Content-Disposition: inline; filename=Message Source');
     header('Content-Length: ' . strlen($msg));
     echo $msg;
     exit;

--------------

this is virtually identical to the offending code in the 2.2 versions.
I haven't tried whether it works here though. It may very well not work.

Although most people don't check message sources, an attacker could send an 
email with a bit of social engineering as such:

_______________
 ... (bury the malicious script in the header) ...


Server error:
The message could not be downloaded. Please view the message source 
to read the message.

______________


Thanks,
Daniel


Quoting Tim Gorter <email@teletechnics.com>:

> 
> You do know, that IMP is currently at stable version 3.1? Which is a
> completely rewrite of what you may be used to in v2.2.7.
> I don't think anyone is writing patches any more for the older versions.
>

Previous message: [imp] JS injection in Horde IMP 2.2.7
Next message: [imp] JS injection in Horde IMP 2.2.7
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]