[imp] IMP XSS bug #2
Ulf Harnhammar
ulfh at update.uu.se
Sat Aug 2 01:09:30 PDT 2003
Hello!
I have found two more Cross-Site Scripting problems in IMP's HTML mail display
system:
** EXAMPLE #1 **
(the entities for "script:" don't allow for upper case letters)
<frameset rows="1,*">
<frame src="javAsCripT:alert(57)">
<frame src="http://www.horde.org/imp/">
</frameset>
** EXAMPLE #2 **
(numeric entities wrap over after 2 ** 32)
(works on Mozilla, Galeon and Opera - but not on Internet Explorer)
<frameset rows="1,*">
<frame src="javAsCripT�alert(57)">
<frame src="http://www.horde.org/imp/">
</frameset>
The attached patch (against the 3.2.1 release) should fix these problems.
// Ulf Harnhammar
-------------- next part --------------
--- imp-3.2.1/lib/MIME/Viewer/html.php.orig 2003-08-01 19:58:51.000000000 +0200
+++ imp-3.2.1/lib/MIME/Viewer/html.php 2003-08-01 20:03:27.000000000 +0200
@@ -68,10 +68,22 @@
// authors: always use the semicolon.)
$data = preg_replace('/�*(9|1[0-3])([^0-9]|$)/i', ' \\2', $data);
+ /* Remove overly long numeric entities. */
+ $data = preg_replace('/&#x?0*[0-9A-F]{6,};?/i', ' ', $data);
+
/* Get all attribute="javascript:foo()" tags. */
/* This is essentially the regex /=("?)[^>]*script:/ but expanded */
/* to catch camouflage with spaces and entities. */
- $preg = '/(�*61;?|�*3D;?|=)\s*(�*34;?|�*22;?|")?[^>]*\s*(�*115;?|�*73;?|s)\s*(�*99;?|�*63;?|c)\s*(�*114;?|�*72;?|r)\s*(�*105;?|�*69;?|i)\s*(�*112;?|�*70;?|p)\s*(�*116;?|�*74;?|t)\s*(�*58;?|�*3A;?|:)/i';
+ $preg = '/(�*61;?|�*3D;?|=)\s*'.
+ '(�*34;?|�*22;?|")?'.
+ '[^>]*\s*'.
+ '(s|�*83;?|�*53;?|�*115;?|�*73;?)\s*'.
+ '(c|�*67;?|�*43;?|�*99;?|�*63;?)\s*'.
+ '(r|�*82;?|�*52;?|�*114;?|�*72;?)\s*'.
+ '(i|�*73;?|�*49;?|�*105;?|�*69;?)\s*'.
+ '(p|�*80;?|�*50;?|�*112;?|�*70;?)\s*'.
+ '(t|�*84;?|�*54;?|�*116;?|�*74;?)\s*'.
+ '(:|�*58;?|�*3a;?)/i';
$data = preg_replace($preg, '=\2cleaned', $data);
/* Get all on<foo>="bar()" tags. */
More information about the imp
mailing list