Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Horde MIME Viewer vulnerability

from [daniel . schreckling] Network Security [Permanent Link]
Subject: Horde MIME Viewer vulnerability
Date: 22 Nov 2005 17:50:44 -0000 
Title         : Cross-Site-Scripting Vulnerability in Horde IMP.
Date          : November 17, 2005
Product       : Horde MIME Viewer <3.0.7 vulnerability 
Discovered by : Daniel Schreckling

Overview
======================================================================

The Horde [http://www.horde.org] Project comprises a set of Web-based 
productivity, messaging, and project-management applications, each of which is 
described below. The Horde Framework is a common code-base used by Horde 
applications, including libraries and a common user interface.

IMP [http://www.horde.org/imp/] is the Internet Messaging Program (formerly, 
among other things, the IMAP webMail Program), a webmail system and a component 
of the Horde project. IMP is the most widely-deployed component of Horde.

IMP offers most of the features users have come to expect from their 
conventional mail programs, including attachments, spell-check, address books, 
multiple folders, and multiple-language support.

Among other features the Internet Messaging Program offers the possibility to 
display inline attachments using so called MIME viewers. Due to a mishandling 
of these attachments in some viewers a possible attacker can infiltrate 
arbitrary JavaScript code, delete messages, steal authentication or session 
cookies etc.

Details
======================================================================

Due to security concerns Horde IMP and its internal MIME viewers respectively 
prevent to display inline messages by default. As an  example, HTML pages, that 
may contain malicious code are not displayed. It goes one step further and 
filters these HTML pages when the display of these attachment is enforced by 
the user, this is, possibly harmful client side code as <script> tags are 
deleted.

The same behavior is expected with files which were packed using gzip. However, 
The Horde Mime Viewer erroneously handles gzip inline attachments differently. 
It simply unpacks (if supported by the server) these files and displays them as 
inline code within IMP. Thus, if the compressed file contains malicious code 
such as JavaScript a possible attacker is able to execute arbitrary code to 
manipulate the web interface, delete messages or steal cookies.

Example:

  - Copy <script>alert("Test");</script> into a file. 
        * Compress this file using gzip
        * Send the file as an inline attachment to your email account
        * Open the mail you received with your Horde application and 
          the message will popup.

The same effect can be observed when using other applications that produce 
intermediate formats.

Example:

  - Before compressing the file in the last example, simply tar it and 
    proceed as you did before.
        * Same effect.

Impact
======================================================================

Possible disclosure of user/session information and possible harm to the user 
due to deleted/manipulated messages/address books.

This vulnerability is only exploitable if the vulnerable version of the Horde 
MIME viewer is used together with a remotely accessible interface like Horde 
IMP.

Solution/workaround
======================================================================

As long as this glitch is unremedied the display of any inline message should 
be prevented (see config/mime_drivers.php).

As an alternative the css and tgz MIME drivers can be disabled by removing them 
from the $mime_drivers_map['horde']['registered'] list in 
horde/config/mime_drivers.php

Horde also provides two patches to remove this vulnerability. For more details 
please see the Horde 3.0.7 security release.

References
======================================================================

Horde
http://www.horde.org

Horde IMP
http://www.horde.org/imp/

Horde 3.0.7 security release
http://lists.horde.org/archives/announce/2005/000232.html

About Daniel Schreckling
======================================================================

Since 2004, Daniel Schreckling 
(http://www.informatik.uni-hamburg.de/SVS/personnel/daniel/) is a member of the 
Research Unit "Security in Distributed Systems" 
(http://www.informatik.uni-hamburg.de/SVS/) at the University of Hamburg.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Horde MIME Viewer vulnerability, daniel . schreckling <=
Previous by Date:  [Full-disclosure] [ GLSA 200511-19 ] eix: Insecure temporary file creation, Sune Kloppenborg Jeppesen
Next by Date:  [Full-disclosure] [ GLSA 200511-20 ] Horde Application Framework: XSS vulnerability, Sune Kloppenborg Jeppesen
Previous by Thread:  [Full-disclosure] [ GLSA 200511-19 ] eix: Insecure temporary file creation, Sune Kloppenborg Jeppesen
Next by Thread:  [Full-disclosure] [ GLSA 200511-20 ] Horde Application Framework: XSS vulnerability, Sune Kloppenborg Jeppesen
Indexes:  [Date] [Thread] [Top] [All Lists]