|
============================================INTERNET SECURITY AUDITORS ALERT 2006-010
- Original release date: September 28, 2006
- Last revised: December 1, 2006
- Discovered by: Vicente Aguilera Diaz
- Severity: 3/5
============================================
I. VULNERABILITY
-------------------------
XSS vulnerability in error page of ISMail.
II. BACKGROUND
-------------------------
ISMail is a webmail system. Programmed in HTML and PHP, it is designed
to work with any imap server. ISMail requires that PHP 4.2+, compiled
with and IMAP and Session support, be installed on the server that
runs it. You have a choice of data-store backends (xml, encrypted
xml, mysql, and postgresql are included, each requiring their
respective PHP modules), and miscellaneous other options that can make
the Inside Systems Mail experience a little friendlier. Unlike most
other webmail programs, Inside Systems Mail is both quick and easy to
use. The layout, complete with address book and folder options, is
simple and familiar to most users. For administrators, the
data-stores and options are easily extensible so that Inside Systems
Mail can be dropped in nearly any configuration with minimal extra coding.
The product homepage is:
http://www.insidesystems.net/projects/project.php?projectid=4
III. DESCRIPTION
-------------------------
The error page "error.php" receives a parameter facilitated in the
querystring that shows the error message.
This parameter ("error") can be manipulated by an attacker to inject
arbitrary script/HTML code.
This is dangerous because it's possible to realize XSS's attacks to
obtain the session cookies of authenticated users and to spoof his
session, or deface the error page.
IV. PROOF OF CONCEPT
-------------------------
Example of XSS attack:
http://