Subject: ilohamail: XSS security bugs
Package: ilohamail
Version: 0.8.14-0rc3
Severity: important
Tags: security patch
Hello,
I have found a bunch of XSS (cross-site scripting) security problems in
ilohamail.
If a victim opens an e-mail message from an attacker in ilohamail, the attacker
may include JavaScript code in the message in several places, and it will be
executed by the victim's browser. This allows for stealing sessions or even
passwords and executing commands in someone else's name.
The XSS bugs exist when:
a) showing the filename of an attachment
b) showing the MIME media type of an attachment
c) showing HTML mails
I have attached test messages and a patch. The test message ilohamail1.msg shows
issue c, and test message ilohamail2.msg shows issues a and b. The patch solves
issues a and b correctly, but the fix for issue c just uses strip_tags(). It can
be bypassed by using allowed HTML elements with dangerous attributes like style
or onMouseOver. A better fix would be to incorporate an HTML stripper library,
like, ahem, my own library kses ( http://sourceforge.net/projects/kses ) or any
similar program.
I have CC'ed upstream.
// Ulf Härnhammar for the Debian Security Audit Project
http://www.debian.org/security/audit/
-- System Information:
Debian Release: 3.1
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages ilohamail depends on:
ii apache [httpd] 1.3.33-4 versatile, high-performance HTTP s
ii debconf 1.4.30.11 Debian configuration management sy
ii exim4-daemon-light [mail-tra 4.50-4 lightweight exim MTA (v4) daemon
ii php4 4:4.3.10-10 server-side, HTML-embedded scripti
ii php4-cgi 4:4.3.10-10 server-side, HTML-embedded scripti
-- debconf information:
ilohamail/restart: false
* ilohamail/webserver_type: apache
* ilohamail/weblocation: /mejl
>From [EMAIL PROTECTED] Wed Apr 13 21:11:18 2005
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: ilohamail message #1
MIME-Version: 1.0
Content-type: text/html
Content-Transfer-Encoding: 7bit
<h1>ilohamail message #1</h1>
<b>ilohamail</b><br>
<a href="http://www.debian.org/";>Debian</a><br>
<script>alert("XSS!")</script>
>From [EMAIL PROTECTED] Wed Apr 13 21:11:20 2005
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: ilohamail message #2
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="82I3+IH0IqGh5yIs"
Content-Disposition: inline
--82I3+IH0IqGh5yIs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
ilohamail message #2
--82I3+IH0IqGh5yIs
Content-Type: application/x-httpd-php<script>alert('xss1')</script>
Content-Disposition: attachment; filename=test.php<script>alert('xss2')</script>
Content-Transfer-Encoding: 7bit
<?php
phpinfo();
?>
--82I3+IH0IqGh5yIs--
--- source/read_message.php.old 2004-04-08 23:16:37.000000000 +0200
+++ source/read_message.php 2005-04-13 20:55:40.610910256 +0200
@@ -275,9 +275,9 @@
echo "<a href=\"".$href."\"
".(($type==1)||($type==2)||(($type==3)&&(strcasecmp($subtype,
"ms-tnef")==0))?"":"target=_blank").">";
echo "<img
src=\"themes/".$my_prefs["theme"]."/images/".$icons_a[$type]."\" border=0><br>";
echo "<span class=\"small\">";
- if (is_string($name)) echo LangDecodeSubject($name,
$my_charset);
+ if (is_string($name)) echo
htmlspecialchars(LangDecodeSubject($name, $my_charset));
if ($bytes>0) echo "<br>[".ShowBytes($bytes)."]";
- if (is_string($typestring)) echo "<br>".$typestring;
+ if (is_string($typestring)) echo
"<br>".htmlspecialchars($typestring);
echo "</span>";
echo "</a>";
echo "</td>\n";
--- include/read_message_print.inc.old 2004-11-30 07:28:23.000000000 +0100
+++ include/read_message_print.inc 2005-04-13 21:10:06.804228856 +0200
@@ -97,9 +97,9 @@
/* dump! */
echo "<p>";
if (strcasecmp($subtype, "html")==0){
- if
(!$my_prefs["html_in_frame"]){
- $body=strip_tags($body,
'<a><b><i><u><p><br><font><div>');
- }
+ # if
(!$my_prefs["html_in_frame"]){
+ $body=strip_tags($body,
'<a><b><i><u><p><br><font><div>');
+ # }
$body =
eregi_replace("src=\"cid:";,
"src=\"view.php?user=$user&folder=$folder&id=$id&cid=", $body);
echo $body;
}else{
