[Fwd: SquirrelMail v1.2.9 XSS bugs]

ME dugan at passwall.com
Tue Dec 3 11:49:56 PST 2002 

I know I am not the only user on these lists using SM. If you are, you may
wanto to examine an update to 1.2.10 - though, tha authors of this
security announcement state they do not know if this security hole works
against 1.2.10 yet.

If you are the only one to use SM on your box, consider putting it behind
an ssl based, basic-auth dir so that it is not easy for non-authenticated
users to try to run an exploit r steal a password from a user who has
access to a SM account to perform an exploit.

Enjoy...
-ME
-- 
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(  ) !s !a   (-----) C  $(    ) U    $( $) P $>
L   $(  ) E W   $( ) N  o K w $>  >    O-@ M $ V-$>- !PS !PE Y  PGP
t at -(  ) 5 @ X@ R- tv- b   DI    D  G--@ e >  >     h(  )>  r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html
  Campus IT(/OS Security): Operating Systems Support Specialist Assistant


-------- Original Message --------
Subject: SquirrelMail v1.2.9 XSS bugs
From: "euronymous" <just-a-user at yandex.ru>
Date: Mon, December 2, 2002 8:28 pm
To: bugtraq at securityfocus.com, vulnwatch at vulnwatch.org

=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: SquirrelMail v1.2.9 XSS bugs
product: SquirrelMail v1.2.9
vendor: www.squirrelmail.org
risk: low
date: 12/3/2k2
discovered by: euronymous /F0KP /HACKRU Team
advisory url: http://f0kp.iplus.ru/bz/008.txt
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=

description
-----------
when reading some email you can to insert the scripting code..
read_body.php dont make filtering users input in `mailbox' and
`passed_id' variables. btw, today has released v1.2.10. im dont
know if this version contains this xss.

sample attack
-------------
http://hostname/src/read_body.php?mailbox=
%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&passed_id=
%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&
startMessage=1&show_more=0

[it must be in a single string]

not URL-encoded string working fine also.

shouts: HACKRU Team, DWC, DHG, Spoofed Packet, all
russian security guyz!!
fuck_off: slavomira and other dirty ppl in *.kz

================
im not a lame,
not yet a hacker
================

More information about the talk mailing list