FW: Squirrel Mail 1.2.7 XSS Exploit

[Christopher Wagner]

I saw this on bugtraq and remembered a discussion on Squirrelmail a little
while ago..  This may be useless and obsolete information by now, but I
thought it best to forward on the info anyway in case people are using older
versions.

- Christopher Wagner
chrisw at pacaids.com

Packaging Aids Corporation - Information Systems
P.O. Box 9144
San Rafael, CA 94912-9144
http://www.pacaids.com/
(415) 454-4868 x116


-----Original Message-----
From: DarC KonQuesT [mailto:DarC_KonQuesT at Phreaker.net]
Sent: Thursday, September 19, 2002 3:01 PM
To: bugtraq at securityfocus.com
Subject: Squirrel Mail 1.2.7 XSS Exploit


****Sorry if you receive two of these.****

DarC KonQuesT XSS Release-

Product: Squirrel Mail 1.2.7 - released June 21, 2002 (tested, others
possibly vulnerable)
Vendor: Squirrel Mail - Web: www.squirrelmail.org
Problem: Cross Site Scripting
Severity: Moderate
Operating System(s): Tested against Red Hat 7.3, all others vulnerable if
they are using this version of Squirrel.

Discovered: August 4, 2002
Vendor Notified: um...now?
Public Release: Now - September 10

Background:
Squirrel Mail is a webmail daemon that provides a HTTP mail interface using
PHP.

Release Notes:
    I **DID NOT** notify the developers (until now) because I am a lazy SoB
and my motivation is lacking (free lance, unpaid, bored guy). I kept putting
it off (notice discovery date and the release now) and now they've released
several newer versions (most recently 1.3.1), which I have not tested.
Because of the release(S) of the new versions and due to my gross
slothfulness, I've decided to do a direct public release. Also, for those of
you who know PHP, you should be able to fix this problem without much
trouble. Apologies to those who feel like they're getting screwed over by
this.

Problem:
    User input is not sanitized so execution of arbitrary code on a client
computer is possible through a Cross Site Scripting (XSS) hole while the
code executes under the domain of the site which the webmail is hosted at.
Similar holes exist in the following utilized scripts:
    addressbook.php
    options.php
    search.php
    help.php

_MAIN_ Exploit:
    The XSS hole I developed the most is in addressbook.php. I was able to
inject and execute javascript code and after opening the addressbook page
there was no indication that I had changed anything (after entering the HTML
comment tags to get rid of some hanging code that my javascript had made
text).

The URL I crafted for the exploit is as follows:

http://<VULNERABLE
SITE>.net/webmail/src/addressbook.php?"><script>alert(document.cookie)</scri
pt><!--

If you execute the code without the HTML comment tag on the end it leaves a
nasty hanging bit of HTML code which is a clear indication that something
has gone awry to many users (however some may ignore it as they don't
understand it).

_OTHER_ Holes:

1) This will reveal the path to PHP directory and other...maybe interesting
to someone, I didn't really care but decided to include it. The problem is
in options.php.

http://<VULNERABLE
SITE>.net/webmail/src/options.php?optpage=<script>alert('boop!')</script>

it returns the following on the page for the server I tested:
Fatal error: Failed opening required ''
(include_path='.:/php/includes:/usr/share/php') in
/var/www/squirrelmail/src/options.php on line 172

2) This is a XSS hole in search.php:

http://<VULNERABLE
SITE>.net/webmail/src/search.php?mailbox=<script>alert('boop!')</script>&wha
t=x&where=BODY&submit=Search

3) Another in search.php

http://<VULNERABLE
SITE>.net/webmail/src/search.php?mailbox=INBOX&what=x&where=<script>alert('b
oop!')</script>&submit=Search

4) XSS in help.php:

http://<VULNERABLE
SITE>.net/webmail/src/help.php?chapter=<script>alert('boop!')</script>

5) XSS in addressbook (different):
    Manually entered nicks, email addresses, first names, last names, and
info sections in the addressbook are not filtered so script can be placed
and executed through them the next time the page is viewed.

Vendor Action:
    I didn't notify....yeah yeah I know....

Aftermath:
    It seems to me this has all the normal dangers of a XSS hole so listing
them seems pointless (I'm sure we've all seen them). If someone expands this
idea to include other/larger possibilites I'd be interested in hearing about
it.
FINAL UPDATE - 9/10/02 I found what I believe is the main developer or head
guy's email address so I'm direct mailing him too. Maybe he can tell us if
the newer versions are fixed.

(---There was a section here about a quote from their page --Revision=
Konstantin ("Icon") Riabitsev informed me that MagicHTML has nothing to do
with this but with the protection of email viewed in HTML form...seriously
helliphino I didn't bother to look it up.  Thanks for the correction.--)

Later on, and have fun,

- DarC KonQuesT -(DiR)-
    Ringleader - DarC Horizons
    United States of America

Greets:
DarCLinG, V3ga, st3v3, Jenn, Christina, John (heh, you're next)

"Congress shall make no law abridging the freedom of sXXXch, or the right of
the people peaceably to XXXemble, and to peXXXion the government for a
redress of grievances." -- Marc Rotenberg




---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.377 / Virus Database: 211 - Release Date: 7/15/02




SPAM: ---- Start SpamAssassin results
SPAM: 1.8 hits, 5 required;
SPAM: *  0.1 -- BODY: Uses words and phrases which indicate porn (10)
SPAM: *  1.7 -- BODY: JavaScript code
SPAM:
SPAM: ---- End of SpamAssassin results