[imp] JS injection in Horde IMP 2.2.7

Mike Cochrane mike@graftonhall.co.nz
Thu, 22 Aug 2002 22:34:50 +1200


But a browser shouldn't run any javascript or html in a text/plain document. It
should just display everything to screen character for character.

- Mike :-)

Quoting datan@seas.upenn.edu:

> You do know, that products with security vulnerabilities in earlier
> versions often have the same vulnerability in later versions, unless
> explicitly fixed:
> 
> 
> ---------------
> imp-3.1/view.php3:
> 
>  case VIEW_SOURCE:
>      $msg = imap_fetchheader($imp['stream'], $index, FT_UID) . "\n" .
> imap_body
> ($imp['stream'], $index, FT_UID);
>      header('Content-Type: text/plain');
>      header('Content-Disposition: inline; filename=Message Source');
>      header('Content-Length: ' . strlen($msg));
>      echo $msg;
>      exit;
> 
> --------------
> 
> this is virtually identical to the offending code in the 2.2 versions.
> I haven't tried whether it works here though. It may very well not work.
> 
> Although most people don't check message sources, an attacker could send an
> email with a bit of social engineering as such:
> 
> _______________
>  ... (bury the malicious script in the header) ...
> 
> 
> Server error:
> The message could not be downloaded. Please view the message source
> to read the message.
> 
> ______________
> 
> 
> Thanks,
> Daniel
> 
> 
> Quoting Tim Gorter <email@teletechnics.com>:
> 
> >
> > You do know, that IMP is currently at stable version 3.1? Which is a
> > completely rewrite of what you may be used to in v2.2.7.
> > I don't think anyone is writing patches any more for the older versions.
> >
> 
> --
> IMP mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe@lists.horde.org


--

-------------------------------------------------
This mail sent through IMP: http://horde.org/imp/