<<< Date Index >>>     <<< Thread Index >>>

[ISecAuditors Security Advisories] XSS vulnerability in error page of ISMail



=============================================
INTERNET SECURITY AUDITORS ALERT 2006-010
- Original release date: September 28, 2006
- Last revised: December 1, 2006
- Discovered by: Vicente Aguilera Diaz
- Severity: 3/5
=============================================

I. VULNERABILITY
-------------------------
XSS vulnerability in error page of ISMail.

II. BACKGROUND
-------------------------
ISMail is a webmail system. Programmed in HTML and PHP, it is designed
to work with any imap server. ISMail requires that PHP 4.2+, compiled
with and IMAP and Session support, be installed on the server that
runs it.  You have a choice of data-store backends (xml, encrypted
xml, mysql, and postgresql are included, each requiring their
respective PHP modules), and miscellaneous other options that can make
the Inside Systems Mail experience a little friendlier.  Unlike most
other webmail programs, Inside Systems Mail is both quick and easy to
use.  The layout, complete with address book and folder options, is
simple and familiar to most users.  For administrators, the
data-stores and options are easily extensible so that Inside Systems
Mail can be dropped in nearly any configuration with minimal extra coding.

The product homepage is:
http://www.insidesystems.net/projects/project.php?projectid=4

III. DESCRIPTION
-------------------------
The error page "error.php" receives a parameter facilitated in the
querystring that shows the error message.

This parameter ("error") can be manipulated by an attacker to inject
arbitrary script/HTML code.

This is dangerous because it's possible to realize XSS's attacks to
obtain the session cookies of authenticated users and to spoof his
session, or deface the error page.

IV. PROOF OF CONCEPT
-------------------------
Example of XSS attack:
http://<webserver>/<path_to_ismail>/error.php?error=XSS%20attack%3Cscript%3Ealert(document.cookie);%3C/script%3E

V. BUSINESS IMPACT
-------------------------
An attacker can spoof the session of other authenticated users
allowing to access to his mail, or deface the error page.

VI. SYSTEMS AFFECTED
-------------------------
This vulnerability has been tested in the last version of ISMail (2.0,
released on 2005-01-20)
Possibly all versions are affected by this vulnerability.

VII. SOLUTION
-------------------------
Update version from the repository.

VIII. REFERENCES
-------------------------
http://www.insidesystems.net/projects/project.php?projectid=4

IX. CREDITS
-------------------------
This vulnerability has been discovered and reported by
Vicente Aguilera Diaz (vaguilera=at=isecauditors=dot=com).

X. REVISION HISTORY
-------------------------
September 28, 2006: Initial release.

XI. DISCLOSURE TIMELINE
-------------------------
September 27, 2006  Vulnerability acquired by Vicente Aguilera Diaz
                    Internet Security Auditors (www.isecauditors.com)
September 28, 2006  Initial vendor notification sent.
October    1, 2006  The vendor fixed the vulnerability in the
                    repository.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors, S.L. accepts no responsibility for any
damage caused by the use or misuse of this information.