[imp] IMP XSS bug (delete other people's mail etc)
Ulf Harnhammar
ulfh at update.uu.se
Mon Jul 28 06:59:53 PDT 2003
Hello!
I've found a Cross-Site Scripting (XSS) bug in IMP 3.2.1 and some earlier
versions. Any person who sends an HTML e-mail to any IMP user may execute
JavaScript code in the IMP user's name with these constructions:
<body onLoad = "alert(57)">
<body style="width: expression(alert(57))">
(the last one "only" works on IE)
I've attached a quick patch that should fix this issue.
To fix other problems of this kind, you might consider using a whitelist
approach to HTML filtering instead of a blacklist approach. This means that
you only keep what is explicitly allowed, instead of removing what you know
is bad.
One such HTML filter with a whitelist approach that you might want to use or
just be inspired by is my filter kses:
http://sourceforge.net/projects/kses
// Ulf Harnhammar
-------------- next part --------------
--- imp-3.2.1/lib/MIME/Viewer/html.php.old 2003-07-28 15:38:14.000000000 +0200
+++ imp-3.2.1/lib/MIME/Viewer/html.php 2003-07-28 15:41:44.000000000 +0200
@@ -74,8 +74,9 @@
$preg = '/(�*61;?|�*3D;?|=)\s*(�*34;?|�*22;?|")?[^>]*\s*(�*115;?|�*73;?|s)\s*(�*99;?|�*63;?|c)\s*(�*114;?|�*72;?|r)\s*(�*105;?|�*69;?|i)\s*(�*112;?|�*70;?|p)\s*(�*116;?|�*74;?|t)\s*(�*58;?|�*3A;?|:)/i';
$data = preg_replace($preg, '=\2cleaned', $data);
- /* Get all on<foo>="bar()" tags. */
- $data = preg_replace('/(\s+[Oo][Nn]\w+)=/', '\1Cleaned=', $data);
+ /* Get all on<foo>="bar()" and style="" tags. */
+ $data = preg_replace('/(\s+[Oo][Nn]\w+)\s*=/', '\1Cleaned=', $data);
+ $data = preg_replace('/\s+style\s*=/i', ' Cleaned=', $data);
/* Get all tags that might cause trouble - <script>, <embed>,
etc. Meta refreshes and iframes, too. */
More information about the imp
mailing list