[imp] XSS bug #3 (enough already!)

Sun Aug 3 02:39:50 PDT 2003

Hello again!

Here's one more stupid little patch, for a Cross-Site Scripting bug in IMP's
HTML mail display system:

<frameset rows="1,*">
<frame src="java&#x20;scrip&#84;:alert(57)">
<frame src="http://www.horde.org/imp/">
</frameset>

(the regular expressions in the code match literal spaces but not space
entities like &#x20;)

My patch (against the 3.2.1 release) should fix this problem.

// Ulf Harnhammar

-------------- next part --------------

--- imp-3.2.1/lib/MIME/Viewer/html.php.orig	2003-08-02 21:47:58.000000000 +0200
+++ imp-3.2.1/lib/MIME/Viewer/html.php	2003-08-02 21:50:30.000000000 +0200
@@ -50,6 +50,9 @@
             }
         }
 
+        /* Change space entities to space characters. */
+        $data = preg_replace('/&#(x0*20|0*32);?/i', ' ', $data);
+
         /* Nuke non-printable characters (a play in three acts). */
         // Rule #1: If we have a semicolon, it's deterministically detectable
         // and fixable, without introducing collateral damage.
