what you don't know can hurt you

Telaen 1.3.0 XSS / Open Redirection / Disclosure

Telaen 1.3.0 XSS / Open Redirection / Disclosure
Posted Jun 4, 2013
Authored by Manuel Garcia Cardenas | Site isecauditors.com

Telaen versions 1.3.0 and below suffer from cross site scripting, open redirection, and path disclosure vulnerabilities.

tags | exploit, vulnerability, xss, info disclosure
advisories | CVE-2013-2621, CVE-2013-2623, CVE-2013-2624
MD5 | 5d8f7bef930e6b0ddf12a1715d262f6d

Telaen 1.3.0 XSS / Open Redirection / Disclosure

Change Mirror Download
=============================================
INTERNET SECURITY AUDITORS ALERT 2013-009
- Original release date: March 15th, 2013
- Last revised: June 4th, 2013
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,8/10 (CVSS Base Score)
- CVE-ID: CVE-2013-2621,
CVE-2013-2623,
CVE-2013-2624
=============================================

I. VULNERABILITY
-------------------------
Multiple Vulnerabilities in Telaen <= 1.3.0

II. BACKGROUND
-------------------------
Telaen is a webmail reader application supporting both IMAP and POP3
protocols. It can be installed without dependence of any PHP's extra
modules or a separate database. It is Open source software published
under GNU General Public License (GPL).

The last version of Telaen is 1.3.0 released on January 2012.

III. DESCRIPTION
-------------------------
Telaen 1.3.0 and lower versions contain a flaw that allows a remote
redirection attack. This flaw exists because the application does not
properly sanitise the file "redir.php". This allows an attacker to
create a specially crafted URL, that if clicked, would redirect a
victim from the intended legitimate web site to an arbitrary web site
of the attacker's choice.

Aditionaly, it has been detected a reflected XSS vulnerability in
Telaen 1.3.0 and lower versions, that allows the execution of
arbitrary HTML/JavaScript code to be executed in the context of the
victim user's browser. The code injection is done through the
parameter "f_email" in the page index.php.

Due to the errors caused by the application Telaen 1.3.0 and lower
versions, we can display the full webapp installation path.

IV. PROOF OF CONCEPT
-------------------------
REDIRECT:
http://vulnerablesite.com/telaen/redir.php?http://www.malicious-site.com

XSS:
http://vulnerablesite.com/telaen/index.php?tid=default&lid=en_UK&f_email="><script>alert("XSS")</script>

FULL PATH DISCLOSURE: http://vulnerablesite.com/telaen/inc/init.php

V. BUSINESS IMPACT
-------------------------
REDIRECT: An attacker can redirect any user to any malicious website.
Below I have mentioned the vulnerable URL.

XSS: An attacker can execute arbitrary HTML or JavaScript code in a
targeted user's browser, this can leverage to steal sensitive
information as user credentials, personal data, etc.

FULL PATH DISCLOSURE: An attacker can obtain the full path to the
applitation and if the webroot is getting leaked, attackers may abuse
the knowledge and use it in combination with file inclusion
vulnerabilites to steal configuration files regarding the web
application or the rest of the operating system.

VI. SYSTEMS AFFECTED
-------------------------
Versions of Telaen < v1.3.1.

VII. SOLUTION
-------------------------
REDIRECT AND XSS: All data received by the application and can be
modified by the user, before making any kind of transaction with them
must be validated.

FULL PATH DISCLOSURE: Turn off display errors in the configuration and
unify the error pages.

VIII. REFERENCES
-------------------------
http://www.telaen.com
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Manuel Garcia Cardenas (mgarcia (at) isecauditors (dot) com).

X. REVISION HISTORY
------------------------
March 15, 2013: Initial release.
June 4, 2013: Last release

XI. DISCLOSURE TIMELINE
-------------------------
March 15, 2013: Vulnerability acquired by
Internet Security Auditors (www.isecauditors.com)
March 20, 2013: Sent to Devel Team.
March 28, 2013: Schedule for new version.
April 4, 2013: New version published.
June 3, 2013: Advisory sent to lists.


XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security, penetration testing, security compliance
implementation and assessing. Our clients include some of the largest
companies in areas such as finance, telecommunications, insurance,
ITC, etc. We are vendor independent provider with a deep expertise
since 2001. Our efforts in R&D include vulnerability research, open
security project collaboration and whitepapers, presentations and
security events participation and promotion. For further information
regarding our security services, contact us.

XIV. FOLLOW US
-------------------------
You can follow Internet Security Auditors, news and security
advisories at:
https://www.facebook.com/ISecAuditors
https://twitter.com/ISecAuditors
http://www.linkedin.com/company/internet-security-auditors
http://www.youtube.com/user/ISecAuditors

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    2 Files
  • 24
    Jul 24th
    19 Files
  • 25
    Jul 25th
    28 Files
  • 26
    Jul 26th
    2 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close