|
|
|
|
| |
| NOCC is a webmail client written in PHP. It provides webmail access to IMAP and POP3 accounts. A security vulnerability in the product allows remote attackers to cause it to return aribtrary HTML and JavaScript to end users. |
| |
Credit:
The information has been provided by Ulf Harnhammar.
|
| |
Vulnerable systems:
* NOCC version 0.9.5 and prior
NOCC has got several cross-site scripting holes when displaying e-mail messages. They allow an attacker to take over a victim's e-mail account and/or perform actions against the victim's will, by simply sending a malicious e-mail message to the victim.
Technical details:
1) If the e-mail message's MIME type is text/plain, the program doesn't remove any HTML code from the mail body. It is shown "live".
2) When the victim selects "View header", no HTML codes are removed from mail headers like Subject and Date (yes, you can write whatever you like in the Date header).
Vendor status:
The vendor was contacted on the 9th and the 10th of July. They haven't released any official fixed version yet.
Unoffical patch:
Ulf wrote a patch for these security holes, and it is included in this mail as an attachment. Ulf has patched it against version 0.9.5.
--- nocc-0.9.5/functions.php.old Sun Oct 20 00:12:34 2002
+++ nocc-0.9.5/functions.php Sun Oct 20 00:27:12 2002
@@ -213,7 +213,7 @@
'body' => $glob_body,
'body_mime' => $tmp['mime'],
'body_transfer' => $tmp['transfer'],
- 'header' => $header,
+ 'header' => htmlspecialchars($header),
'verbose' => $verbose,
'prev' => $prev_msg,
'next' => $next_msg
@@ -444,6 +444,7 @@
}
elseif (eregi('plain', $mime))
{
+ $body = htmlspecialchars($body);
$body = eregi_replace("(http|https|ftp)://([a-zA-Z0-9+-=%&:_.~?]+[#a-zA-Z0-9+]*)","<a href=\"\\1://\\2\" target=\"_blank\">\\1://\\2</a>", $body);
$body = eregi_replace("([#a-zA-Z0-9+-._]*)@([#a-zA-Z0-9+-_]*)\.([a-zA-Z0-9+-_.]+[#a-zA-Z0-9+]*)","<a href=\"$PHP_SELF?action=write&mail_to=\\1@\\2.\\3&lang=$lang\">\\1@\\2.\\3</a>", $body);
$body = nl2br($body);
|
|
|
|
|
