-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================== - RS-Labs Security Advisory - =============================== Tittle: "Content-Type" XSS vulnerability affecting other webmail systems ID: RS-2004-2 Severity: Medium / High - Arbitrary tags injection in victim's browser context Date: 30.Jun.2004 Author: Román Medina-Heigl Hernández (a.k.a. RoMaNSoFt) URL: http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-2.txt .: [ SUMMARY ] On 29.May.2004, I disclosed an important XSS vulnerability in latest versions of a well-known webmail: SquirrelMail. Upon publication I received the notice that other important webmails were also vulnerable to the same bug. Indeed the same exploits released for SquirrelMail worked without any changes in these systems. I decided to contact several other webmail vendors and ask directly to check their software and confirm or deny the vulnerability. The purpose of this brief advisory is to provide you with the collected info in an objective and summarized way. .: [ RESULTS ] - - IMP 3.2.3 (from Horde project). Vulnerable. "A new IMP version (3.2.4) that fixes this vulnerability has been released. Thanks for working with us to reproduce this flaw and letting us know about this security hole." [Jan Schneider] Solution: upgrade to release 3.2.4. - - OpenWebmail 2.32. Vulnerable. "This bug in openwebmail has already been fixed since openwebmail-2.32 20040603". [Chung-Kie Tung] Solution: upgrade to "openwebmail-current.tgz". - - IlohaMail 0.8.12. Vulnerable. "A vulnerability similar to the one you describe in your advisor was found in IlohaMail some time ago, and was fixed on April 8th. However, since there has not been a release since then, the fix is currently only available in CVS." [Ryo Chijiiwa] Solution: upgrade to release 0.8.13. - - Sqwebmail 4.0.4. Vulnerable (to similar bug). "Although sqwebmail did not have this content-type: vulnerability, versions 4.0.4 had a similar, related, cross-site scripting vulnerability when using the "full headers" command, which was fixed in 4.0.5" [Sam Varshavchik] Solution: upgrade to release 4.0.5. - - Camas. Not vulnerable. "I tested the two exploits with Courier-IMAP as the IMAP server and it doesn't work (at least without modifications and lookup in the source code) and can't work for 3 reasons: 1) Camas IMAP client doesn't use BODYSTRUCTURE 2) Pike's MIME.Message object is quite picky and won't allow any strange content-type (tested with 7.6 and 7.2 which all Camas maintained versions used). Camas's IMAP client (which is everything except perfect) actually fail because of this (at least one good one point in it) so you can't read such a mail (but you can delete or move it). 3) Camas escapes any HTML/XHTML characters regarding content type and file name (btw can be interested to change the filename and check the result in SM...)" [David Gourdelier] - - BasiliX. Not vulnerable. "Similar problems were reported in BasiliX-1.1.0 (and probably earlier versions). When I took over maintenance of the project, between 1.1.0 and 1.1.1, some had been addressed and others hadn't. One of my first priorities was to fix this problem. As far as I am aware, these issues have been fixed in the latest stable release, BasiliX-1.1.1fix1, and in the upcoming release 1.1.2. In fact the fix1 release was released very quickly (within 24 hours) after 1.1.1 as a couple of XSS problems had slipped the net. As far as my tests go: BasiliX-1.1.0 and earlier - vulnerable BasiliX-1.1.1 (Nov 17 2003) - vulnerable BasiliX-1.1.1_fix1 (Nov 18 2003) - not vulnerable BasiliX cvs (and upcoming release) - not vulnerable" [Mike Peters] - - Hastymail. Not vulnerable. Release 1.0 and current CVS are reported to be non-vulnerable. " I am unable to duplicate the exploit with hastymail, and I believe it to be secure against this particular attack. I might also mention that hastymail uses NO javascript (one of our coding guidelines) so users can disable it completely if need be." [Jason Munro] - - GatorMail. Not vulnerable. "That said, I did a review and noticed that I missed a few on* events in html mail view which has been fixed in CVS and a hot fix has been applied to the only install of GatorMail I know of." [Sandy McArthur] - - JAWmail. Not vulnerable. "JAWmail 2.0 and upward is not vulnerable to 'From address HTML code insertion'. Also, JAWmail 1.x is not vulnerable. Same for Content-Type XSS bug." [Rudi Benkovič] "I checked it against JAWmail 1.0.2 and it's save against this. Since JAWmail uses imap_rfc822_write_address() for quite some while know to generate a propper formatted output, I do not think that any older version is vulnerable. I do not remember changing that part since I started with JAWmail (was Version 0.9.18 I think)" [Sebastian Dietz] - - NS WebMail. Not vulnerable. "Looking through my code, NS WebMail is not vulnerable (headers are semi-"converted" using html entities before displaying). However, there were dozens of other security concerns (even worse and some more obvious) before 0.10.2, so in any case i urge my users to upgrade to that version." [Alexandre Aufrere] .: [ ACKNOWLEDGMENTS ] Some credits and thanks go to: - - George Theall reported IMP 3.2.3 being vulnerable - - Alejandro Ramos reported OpenWebmail 2.32 being vulnerable - - Jan Schneider . Horde (reported IMP 3.2.4 "fix" release) - - Chuck Hagenbuch . Horde (fixed IMP code) - - Chung-Kie Tung . OpenWebmail. - - Sam Varshavchik . SqWebmail - - Xavier Beaudouin . Camas - - David Gourdelier . Camas - - Ryo Chijiiwa . IlohaMail - - Mike Peters . BasiliX - - Jason Munro . Hastymail - - Sandy McArthur . GatorMail - - Rudi Benkovič . JAWmail - - Sebastian Dietz . JAWmail. - - Alexandre Aufrere . NS WebMail .: [ REFERENCES ] * RS-2004-1 Advisory: SquirrelMail "Content-Type" XSS vulnerability http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt * RoMaNSoFt's Research Labs http://www.rs-labs.com/ -=EOF=- -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use iQA/AwUBQOmN5eR/in3q1WdCEQLZjgCdHAZUTgNdTgLNXykoK0bpDdGnijgAnjJk RMBD19qs+/sUhvyM9PXCIh5p =vk2N -----END PGP SIGNATURE-----