[imp] JS injection in Horde IMP 2.2.7
Mike Cochrane
mike@graftonhall.co.nz
Thu, 22 Aug 2002 22:34:50 +1200
But a browser shouldn't run any javascript or html in a text/plain document. It
should just display everything to screen character for character.
- Mike :-)
Quoting datan@seas.upenn.edu:
> You do know, that products with security vulnerabilities in earlier
> versions often have the same vulnerability in later versions, unless
> explicitly fixed:
>
>
> ---------------
> imp-3.1/view.php3:
>
> case VIEW_SOURCE:
> $msg = imap_fetchheader($imp['stream'], $index, FT_UID) . "\n" .
> imap_body
> ($imp['stream'], $index, FT_UID);
> header('Content-Type: text/plain');
> header('Content-Disposition: inline; filename=Message Source');
> header('Content-Length: ' . strlen($msg));
> echo $msg;
> exit;
>
> --------------
>
> this is virtually identical to the offending code in the 2.2 versions.
> I haven't tried whether it works here though. It may very well not work.
>
> Although most people don't check message sources, an attacker could send an
> email with a bit of social engineering as such:
>
> _______________
> ... (bury the malicious script in the header) ...
>
>
> Server error:
> The message could not be downloaded. Please view the message source
> to read the message.
>
> ______________
>
>
> Thanks,
> Daniel
>
>
> Quoting Tim Gorter <email@teletechnics.com>:
>
> >
> > You do know, that IMP is currently at stable version 3.1? Which is a
> > completely rewrite of what you may be used to in v2.2.7.
> > I don't think anyone is writing patches any more for the older versions.
> >
>
> --
> IMP mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe@lists.horde.org
--
-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/