SquirrelMail Address Add Plugin XSS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SA0002
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+++++ SquirrelMail Address Add Plugin XSS +++++
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
PUBLISHED ON
Sep 28, 2005
PUBLISHED AT
http://moritz-naumann.com/adv/0002/sqmadd/0002.txt
PUBLISHED BY
Moritz Naumann IT Consulting & Services
Hamburg/Germany
http://moritz-naumann.com/
info AT moritz HYPHON naumann D0T com
GPG key: http://moritz-naumann.com/keys/0x277F060C.asc
AFFECTED PRODUCT OR SERVICE
Address Add Plugin for Squirrelmail >= v1.4.0
by Jimmy Conner
http://sqmail.org/
AFFECTED VERSION
Address Add Plugin Versions 1.9 and 2.0
Possibly versions < 1.9 (untested)
BACKGROUND
Everybody knows XSS.
http://en.wikipedia.org/wiki/XSS
http://www.cgisecurity.net/articles/xss-faq.shtml
ISSUE
A XSS vulnerability has been detected in the Address Add Plugin for
Squirrelmail. The problem is caused by insufficient input sanitation.
Sending a HTML email containing an IMG tag which provides a SRC
attribute pointing at the vulnerable plugin may allow an attacker to
retrieve the victims' cookie and session information without the
victim being aware. The exploit may be triggered when the victim
clicks on a specially crafted URL contained in the email and hovers
the address book form field.
The following partial URL demonstrates the issue:
/squirrelmail_root_dir/plugins/address_add/add.php?first=HOVER%20ME!%22%20onMouseOver=%22alert('foo');
Please move your mouse pointer over the input field which says so.
Other variables on this script can be misused in the same way.
WORKAROUND
Disable Javascript or disable plugin.
SOLUTIONS
Version 2.1 of the plugin fixes the issue. The update is available on
boths the developers' website at
http://sqmail.org
and on the SquirrelMail website at
http://squirrelmail.org/plugin_view.php?id=101
TIMELINE
Sep 24, 2005: Maintainer informed
Sep 25, 2005: First maintainer reply
Sep 25, 2005: Maintainer provides fix
Sep 29, 2005: Public disclosure
CREDIT
N/A
LICENSE
Creative Commons Attribution-ShareAlike License Germany
http://creativecommons.org/licenses/by-sa/2.0/de/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDOx0En6GkvSd/BgwRAu4MAKCFk8Qawjt5p5oG1NYJpbvb9S1P5wCfdhDx
KWCJsXrTsmDnB3zv9gN3Nec=
=+0J4
-----END PGP SIGNATURE-----