[27151] in bugtraq
JAWmail XSS
daemon@ATHENA.MIT.EDU (Ulf Harnhammar)
Mon Sep 23 11:37:23 2002
Date: Mon, 23 Sep 2002 02:27:43 +0200 (CEST)
From: Ulf Harnhammar <ulfh@update.uu.se>
To: bugtraq@securityfocus.com
Message-ID: <Pine.LNX.4.21.0209230223370.11346-100000@Tempo.Update.UU.SE>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
JAWmail XSS
PROGRAM: JAWmail
VENDOR: Rudi Benkovic <rudi@jawmail.org> et al.
HOMEPAGE: http://www.jawmail.org/
VULNERABLE VERSIONS: 1.0-rc1, possibly others
IMMUNE VERSIONS: 2.0-rc1 and later
LOGIN REQUIRED: no
SEVERITY: high
DESCRIPTION:
JAWmail (Just Another Web Mail) is a pretty ambitious web mail
client project. It is written in PHP, and it is published under
the GNU GPL.
SUMMARY:
There are several cross-site scripting holes in JAWmail that are
triggered by reading incoming e-mail messages. An attacker can
use them to take over a victim's e-mail account by simply sending
certain malicious e-mails to the victim.
TECHNICAL DETAILS:
1) Read Mail shows the names of attached files without cleaning
those names (removing HTML elements).
2) text/html mails are not cleaned at all, when they are shown in
a pop-up window.
3) When Read Mail displays text/html mails, they are cleaned with
PHP's strip_tags() function with some appropriate parameters. This
function removes evil HTML elements, but not nice HTML elements
with evil HTML attributes, so you can still perform XSS attacks like:
<b onMouseOver="alert(document.cookie)">bolder</b>
// Ulf Harnhammar
ulfh@update.uu.se
http://www.metaur.nu/
