SquirrelMail Cross Scripting Attacks....

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: SquirrelMail Cross Scripting Attacks....
From: Alvin Alex <alvin_gboy@xxxxxxxxxxx>
Date: 29 Apr 2004 21:09:06 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


SquirrelMail latest version (although is tested on version 1.4.2) is prone to 
many cross scripting attacks that can be used to steal user cookies.The Exploit 
lies in the way squirrel mail represents the folder names and shows them.To 
make the matters worse.No extra unique variable added to the url for each user 
therefore it is easy for the attacker to just pass the url in mail and steal 
the session cookie.

Some of the exploit are at :

http://victim.com/mail/src/compose.php?mailbox=INBOX

which can be replaced as follows

http://victim.com/mail/src/compose.php?mailbox=";>&lt;script&gt;malacious 
script&lt;/script&gt;

Example:

http://victim.com/mail/src/compose.php?mailbox=";>&lt;script&gt;window.alert(document.cookie)&lt;/script&gt;

-------------------------------------------------------------------------

Squirrel Mail Coders have been informed of this vulnerability but the 
vulnerability still exists in their latest version.

-------------------------------------------------------------------------

Please Let me know if i am wrong anywhere...

Regards,
Alvin

Follow-Ups:
- Re: SquirrelMail Cross Scripting Attacks....
  - From: Jonathan Angliss

Prev by Date: TSLSA-2004-0024 - rsync
Next by Date: A technical description of the SSL PCT vulnerability (CVE-2003-0719)
Previous by thread: TSLSA-2004-0024 - rsync
Next by thread: Re: SquirrelMail Cross Scripting Attacks....
Index(es):
- Date
- Thread