[imp] JS injection in Horde IMP 2.2.7

datan@seas.upenn.edu datan@seas.upenn.edu
Thu, 22 Aug 2002 09:30:25 -0400 (EDT)

Previous message: [imp] JS injection in Horde IMP 2.2.7
Next message: [imp] JS injection in Horde IMP 2.2.7
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

my apologies, should have been more specific:

quoting from IMP documentation:
____________________
NOTE:  PHP 3.0.16 has a bug which can cause the following error:

    Warning: Bad message number

This is a PHP bug, not an IMP bug.  You need to patch PHP's imap.c to
fix the php3_imap_fetchheader() function.  The patch is available here:
____________________

When that happens, an error message is sent to the browser first 
before the headers, thus our js script can run only under these circumstances.
So an attacker would have to look into imap.c to figure out exactly what 
circumstances would trigger the error.

So it is possible that imp running on unpatched php 3.0.16 will be 
vulnerable even if 2.2.8 or 3.0+ ?

Thanks,
Daniel Tan

Quoting Mike Cochrane <mike@graftonhall.co.nz>:

> But a browser shouldn't run any javascript or html in a text/plain
> document. It
> should just display everything to screen character for character.
> 
> - Mike :-)
> 
> Quoting datan@seas.upenn.edu:
> 
> > You do know, that products with security vulnerabilities in earlier
> > versions often have the same vulnerability in later versions, unless
> > explicitly fixed:
> > 
> > 
> > ---------------
> > imp-3.1/view.php3:
> > 
> >  case VIEW_SOURCE:
> >      $msg = imap_fetchheader($imp['stream'], $index, FT_UID) . "\n" .
> > imap_body
> > ($imp['stream'], $index, FT_UID);
> >      header('Content-Type: text/plain');
> >      header('Content-Disposition: inline; filename=Message Source');
> >      header('Content-Length: ' . strlen($msg));
> >      echo $msg;
> >      exit;
> > 
> > --------------
> > 
> > this is virtually identical to the offending code in the 2.2 versions.
> > I haven't tried whether it works here though. It may very well not
> work.
> > 
> > Although most people don't check message sources, an attacker could
> send an
> > email with a bit of social engineering as such:
> > 
> > _______________
> >  ... (bury the malicious script in the header) ...
> > 
> > 
> > Server error:
> > The message could not be downloaded. Please view the message source
> > to read the message.
> > 
> > ______________
> > 
> > 
> > Thanks,
> > Daniel
> > 
> > 
> > Quoting Tim Gorter <email@teletechnics.com>:
> > 
> > >
> > > You do know, that IMP is currently at stable version 3.1? Which is a
> > > completely rewrite of what you may be used to in v2.2.7.
> > > I don't think anyone is writing patches any more for the older
> versions.
> > >
> > 
> > --
> > IMP mailing list
> > Frequently Asked Questions: http://horde.org/faq/
> > To unsubscribe, mail: imp-unsubscribe@lists.horde.org
> 
> 
> --
> 
> -------------------------------------------------
> This mail sent through IMP: http://horde.org/imp/
> 
> -- 
> IMP mailing list
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe@lists.horde.org
>

Previous message: [imp] JS injection in Horde IMP 2.2.7
Next message: [imp] JS injection in Horde IMP 2.2.7
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]