[imp] JS injection in Horde IMP 2.2.7
Harry Hoffman
hhoffman@ip-solutions.net
Thu, 22 Aug 2002 23:03:15 +1200
I find this to be a problem in general with Universities. Each school winds up
running their own "webmail" server with different varities and different
versions. An audit was just done here at UofA and at least 5 seperate versions
of Horde/IMP are running. We're trying to get them under one umbrella of Horde,
and I see that Penn has done the same. It seems like more and more Univ.'s are
trying to consolidate the webmail servers. Many others are doing it as well,
just using a different system. You can't really make people upgrade when
software it is no longer supported. However in order to keep improving the
software you can't support older versions.
Cheers,
Harry
Quoting datan@seas.upenn.edu:
*> Hi,
*> My school uses IMP 2.2.7 (but I think 2.2.8 is vulnerable as well
*> looking at the source codes). (In addition, 2.2.7 is known to be vulnerable
*> to
*> CSS attacks.)
*>
*> Playing around with it, I noticed two ways of injecting javascript into
*> the html documents generated.
*>
*> 1. view source - does not check that the header or the body does not have
*> html tags. Most people don't view their message source, but I do when I get
*> messages from worms.
*>
*> 2. status.php contains a javascript that alerts the user when new messages
*> arrive. if the subject is
*>
*> ")</script><script> ... </script>
*>
*> then the code is run. You can send this email when you are sure that the
*> victim
*> is logged onto IMP & reading his email.
*>
*> It would then be possible to steal the session cookie.
*>
*> As a courtesy, I'll post this to security lists when an updated version is
*> available. Please let me know if these have been patched in 2.2.8 (there
*> was no mention under SECURITY changes).
*>
*>
*> Thanks,
*> Daniel Tan
*>
*> --
*> IMP mailing list
*> Frequently Asked Questions: http://horde.org/faq/
*> To unsubscribe, mail: imp-unsubscribe@lists.horde.org
--
Harry Hoffman
ITSS Systems Team Leader
University of Auckland
hhoffman@auckland.ac.nz
hhoffman@ip-solutions.net
STANDARD DISCLAIMER:
**********************************************
*This universe shipped by weight, not volume.*
*Some expansion may have occured in shipping.*
*********************************************
-------------------------------------------------
Mail service provided by IpSolutions
http://www.ip-solutions.net/