NOCC: cross-site-scripting bug

From: ppp-design (security@ppp-design.de)
Date: Tue May 14 2002 - 06:33:29 PDT

Next message: 3APA3A: "Re: Fwd: GOBBLES RESPONSE TO THE BLUE BOAR ("fixed version")"

Previous message: securityat_private: "Security Update: [CSSA-2002-020.0] Linux: icecast buffer overflows and denial-of-service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ppp-design found the following cross-site-scripting bug in NOCC:


Details
- -------
Product: NOCC
Affected Version: 0.9.5 and maybe all versions before
Immune Version: none, authors are working on it
OS affected: all OS with php and mysql
Vendor-URL: http://nocc.sourceforge.net/
Vendor-Status: informed, working on a new version
Security-Risk: high
Remote-Exploit: Yes


Introduction
- ------------
NOCC is a webmail client written in PHP. It provides webmail access to
IMAP and POP3 accounts. Unfortunatly the software displays a message
without checking for any malicous code.


More details
- ------------
A mail (even a text mail) is rendered as html. So a possible blackhat
can include any malicous code in an email and get full access to any
mailbox easily.


Proof-of-concept
- ----------------
Just write an email to any NOCC user with the following text inside:

<script>alert(document.cookie)</script>

When the user is reading his mail a popup will come up showing his
session id. Of course there are many other possibilities to make use of
this bug.


Temporary-fix
- -------------
Users could disable Javascript but because there are still other
possiblilities to enter malicious code, this will only stop this
proof-of-concept from working.


Fix
- ---
None at the moment, but the authors are allready working on a new version.


Security-Risk
- -------------
Because the software is widly spreaded according to their website, and
any blackhat can easily get full access to any emailaccount that is
managed using NOCC, we are rating the securtiy risk to high.


Vendor status
- -------------
We have informed the core developers, who reacted fastly and in a
recommedable way. They entered the bug to their bugzilla system. So
there is no need for us to wait with this publication, allthough there
is no fix ready until now.


Disclaimer
- ----------
All information that can be found in this advisory is believed to be
true, but maybe it isn't. ppp-design can not be held responsible for the
use or missuse of this information. Redistribution of this text is only
permitted if the text has not been altered and the original author
ppp-design (http://www.ppp-design.de) is mentioned.


This advisory can be found online at:
http://www.ppp-design.de/advisories.php


- --
ppp-design
http://www.ppp-design.de
Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc
Fingerprint: 5B02 0AD7 A176 3A4F CE22  745D 0D78 7B60 B3B5 451A
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Weitere Infos: siehe http://www.gnupg.org

iD8DBQE84RIpDXh7YLO1RRoRAgx7AKDqa7GcWbA63m5VC8OckzjrOItdEQCgvBbU
1A8yDzFcsP7YdapdLjGP24A=
=Apoo
-----END PGP SIGNATURE-----

Next message: 3APA3A: "Re: Fwd: GOBBLES RESPONSE TO THE BLUE BOAR ("fixed version")"
Previous message: securityat_private: "Security Update: [CSSA-2002-020.0] Linux: icecast buffer overflows and denial-of-service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue May 14 2002 - 08:14:25 PDT