Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15300
HistoryDec 05, 2006 - 12:00 a.m.

[ISecAuditors Security Advisories] XSS vulnerability in error page of ISMail

2006-12-0500:00:00
vulners.com
29
JSON

=============================================
INTERNET SECURITY AUDITORS ALERT 2006-010

  • Original release date: September 28, 2006
  • Last revised: December 1, 2006
  • Discovered by: Vicente Aguilera Diaz
  • Severity: 3/5
    =============================================

I. VULNERABILITY

XSS vulnerability in error page of ISMail.

II. BACKGROUND

ISMail is a webmail system. Programmed in HTML and PHP, it is designed
to work with any imap server. ISMail requires that PHP 4.2+, compiled
with and IMAP and Session support, be installed on the server that
runs it. You have a choice of data-store backends (xml, encrypted
xml, mysql, and postgresql are included, each requiring their
respective PHP modules), and miscellaneous other options that can make
the Inside Systems Mail experience a little friendlier. Unlike most
other webmail programs, Inside Systems Mail is both quick and easy to
use. The layout, complete with address book and folder options, is
simple and familiar to most users. For administrators, the
data-stores and options are easily extensible so that Inside Systems
Mail can be dropped in nearly any configuration with minimal extra coding.

The product homepage is:
http://www.insidesystems.net/projects/project.php?projectid=4

III. DESCRIPTION

The error page "error.php" receives a parameter facilitated in the
querystring that shows the error message.

This parameter ("error") can be manipulated by an attacker to inject
arbitrary script/HTML code.

This is dangerous because it's possible to realize XSS's attacks to
obtain the session cookies of authenticated users and to spoof his
session, or deface the error page.

IV. PROOF OF CONCEPT

Example of XSS attack:
http://<webserver>/<path_to_ismail>/error.php?error=XSS%20attack%3Cscript%3Ealert(document.cookie);%3C/script%3E

V. BUSINESS IMPACT

An attacker can spoof the session of other authenticated users
allowing to access to his mail, or deface the error page.

VI. SYSTEMS AFFECTED

This vulnerability has been tested in the last version of ISMail (2.0,
released on 2005-01-20)
Possibly all versions are affected by this vulnerability.

VII. SOLUTION

Update version from the repository.

VIII. REFERENCES

http://www.insidesystems.net/projects/project.php?projectid=4

IX. CREDITS

This vulnerability has been discovered and reported by
Vicente Aguilera Diaz (vaguilera=at=isecauditors=dot=com).

X. REVISION HISTORY

September 28, 2006: Initial release.

XI. DISCLOSURE TIMELINE

September 27, 2006 Vulnerability acquired by Vicente Aguilera Diaz
Internet Security Auditors (www.isecauditors.com)
September 28, 2006 Initial vendor notification sent.
October 1, 2006 The vendor fixed the vulnerability in the
repository.

XII. LEGAL NOTICES

The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.

JSON