Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] SquirrelMail Address Add Plugin XSS

from [Moritz Naumann] Network Security [Permanent Link]
Subject: [Full-disclosure] SquirrelMail Address Add Plugin XSS
Date: Thu, 29 Sep 2005 00:45:24 +0200 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



SA0002

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++        SquirrelMail Address Add Plugin XSS        +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


PUBLISHED ON
  Sep 28, 2005


PUBLISHED AT
  http://moritz-naumann.com/adv/0002/sqmadd/0002.txt


PUBLISHED BY
  Moritz Naumann IT Consulting & Services
  Hamburg/Germany
  http://moritz-naumann.com/

  info AT moritz HYPHON naumann D0T com
  GPG key: http://moritz-naumann.com/keys/0x277F060C.asc


AFFECTED PRODUCT OR SERVICE
  Address Add Plugin for Squirrelmail >= v1.4.0
  by Jimmy Conner
  http://sqmail.org/


AFFECTED VERSION
  Address Add Plugin Versions 1.9 and 2.0
  Possibly versions < 1.9 (untested)


BACKGROUND
  Everybody knows XSS.
  http://en.wikipedia.org/wiki/XSS
  http://www.cgisecurity.net/articles/xss-faq.shtml


ISSUE
  A XSS vulnerability has been detected in the Address Add Plugin for
  Squirrelmail. The problem is caused by insufficient input sanitation.

  Sending a HTML email containing an IMG tag which provides a SRC
  attribute pointing at the vulnerable plugin may allow an attacker to
  retrieve the victims' cookie and session information without the
  victim being aware. The exploit may be triggered when the victim
  clicks on a specially crafted URL contained in the email and hovers
  the address book form field.

  The following partial URL demonstrates the issue:

/squirrelmail_root_dir/plugins/address_add/add.php?first=HOVER%20ME!%22%20onMouseOver=%22alert('foo');

  Please move your mouse pointer over the input field which says so.

  Other variables on this script can be misused in the same way.


WORKAROUND
  Disable Javascript or disable plugin.


SOLUTIONS
  Version 2.1 of the plugin fixes the issue. The update is available on
  boths the developers' website at
    http://sqmail.org
  and on the SquirrelMail website at
    http://squirrelmail.org/plugin_view.php?id=101


TIMELINE
  Sep 24, 2005: Maintainer informed
  Sep 25, 2005: First maintainer reply
  Sep 25, 2005: Maintainer provides fix
  Sep 29, 2005: Public disclosure


CREDIT
  N/A


LICENSE
  Creative Commons Attribution-ShareAlike License Germany
  http://creativecommons.org/licenses/by-sa/2.0/de/



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDOx0En6GkvSd/BgwRAu4MAKCFk8Qawjt5p5oG1NYJpbvb9S1P5wCfdhDx
KWCJsXrTsmDnB3zv9gN3Nec=
=+0J4
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] SquirrelMail Address Add Plugin XSS, Moritz Naumann <=
Previous by Date:  Re: PocketPC exploitation, Jose Morales
Next by Date:  [Full-disclosure] [NRVA05-08] - Arbitrary file download by NateOn Messagener's ActiveX and DoS, saintlinu
Previous by Thread:  PHP-Fusion v6.00.109 SQL Injection / admin|users credentials disclosure, retrogod
Next by Thread:  [Full-disclosure] [NRVA05-08] - Arbitrary file download by NateOn Messagener's ActiveX and DoS, saintlinu
Indexes:  [Date] [Thread] [Top] [All Lists]