Horde IMP v4.3.7 and lower are subject to a cross site scripting (XSS)
vulnerability:
The fetchmailprefs.php script fails to properly sanitize user supplied
input to the 'fm_id' URL parameter. If exploited, injected code will be
persistent (persistent XSS) and will execute once the user (manually)
accesses mail fetching preferences.
The following URL can be used as a proof of concept:
> [path_to_horde_imp]/fetchmailprefs.php?actionID=fetchmail_prefs_save&fm_
driver=imap&fm_id=zzz%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%
3E%3Cx+y%3D%22&fm_protocol=pop3&fm_lmailbox=INBOX&save=Create
Prior authentication to IMP is required for immediate exploitation.
Follow-up authentication is also possible if the victims' IMP
configuration has folder maintenance options disabled.
This issue has been fixed by Jan Schneider of the Horde Project:
> http://git.horde.org/diff.php/imp/fetchmailprefs.php?rt=horde&r1=1.39.4.
10&r2=1.39.4.11
According to him, Horde IMP v4.3.8 (or a release candidate) which fixes
this issue is to be released within the week. Release announcements will
likely be communicated through
http://lists.horde.org/mailman/listinfo/announce
Credits for this discovery:
Moritz Naumann
Naumann IT Security Consulting, Berlin, Germany
http://moritz-naumann.com
Thanks for reading,
Moritz
--
Naumann IT Security Consulting
Samariterstr. 16
10247 Berlin
Germany
Web http://moritz-naumann.com
GPG http://moritz-naumann.com/keys/0x277F060C.asc
17FE F47E CE81 FC3A 8D6C 85A0 9FA1 A4BD 277F 060C
Inhaber: Moritz Naumann · StNr. 22/652/12010 · USt-IdNr. DE266365097
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum