what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Uebimiau 2.7.11 Cross Site Scripting / Open Redirection

Uebimiau 2.7.11 Cross Site Scripting / Open Redirection
Posted Oct 9, 2013
Authored by Manuel Garcia Cardenas | Site isecauditors.com

Uebimiau versions 2.7.11 and below suffer from open redirect and cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2013-2621, CVE-2013-2622, CVE-2013-2623
SHA-256 | 5f6f119f3f4927edb7397c7d27ce0af76e8a5813ac1a85ffe0ce6012dea50016

Uebimiau 2.7.11 Cross Site Scripting / Open Redirection

Change Mirror Download
=============================================
INTERNET SECURITY AUDITORS ALERT 2013-008
- Original release date: March 15th, 2013
- Last revised: March 20th, 2013
- Discovered by: Manuel Garcia Cardenas
- Severity: 4,8/10 (CVSS Base Score)
- CVE-ID: CVE-2013-2621,
CVE-2013-2622,
CVE-2013-2623
=============================================

I. VULNERABILITY
-------------------------
Multiple Vulnerabilities in Uebimiau <= 2.7.11

II. BACKGROUND
-------------------------
UebiMiau is a webmail reader application supporting both IMAP and POP3
protocols. It can be installed without dependence of any PHP's extra
modules or a

separate database. It is Open source software published under GNU
General Public License (GPL).

UebiMiau has not been developed since March 2006 and does not work with
PHP 5.3 due to its use of deprecated functions. A new project, which is
a forked

reboot of UebiMiau based on the jimjag patches, named Telaen is an
actively developed drop-in replacement.

III. DESCRIPTION
-------------------------
Uebimiau 2.7.11 and lower versions contain a flaw that allows a remote
redirection attack. This flaw exists because the application does not
properly

sanitise the file "redir.php". This allows an attacker to create a
specially crafted URL, that if clicked, would redirect a victim from the
intended

legitimate web site to an arbitrary web site of the attacker's choice.

Aditionaly, it has been detected a reflected XSS vulnerability in
Uebimiau 2.7.11 and lower versions, that allows the execution of
arbitrary HTML/JavaScript

code to be executed in the context of the victim user's browser. The
code injection is done through the parameter "f_email" in the page
index.php and

parameter "selected_theme" in the page error.php.

IV. PROOF OF CONCEPT
-------------------------
REDIRECT:
http://vulnerablesite.com/uebimiau/redir.php?http://www.malicious-site.com

XSS 1:
http://vulnerablesite.com/uebimiau/error.php?f_pass=blackybr&sess[auth]=1&selected_theme="><script>alert("XSS")</script>

XSS 2:
http://vulnerablesite.com/uebimiau/index.php?tid=default&lid=en_UK&f_email="><script>alert("XSS")</script>

V. BUSINESS IMPACT
-------------------------
REDIRECT: An attacker can redirect any user to any malicious website.
Below I have mentioned the vulnerable URL.

XSS: An attacker can execute arbitrary HTML or JavaScript code in a
targeted user's browser, this can leverage to steal sensitive
information as user

credentials, personal data, etc.

VI. SYSTEMS AFFECTED
-------------------------
All Versions of Uebimiau.

VII. SOLUTION
-------------------------
REDIRECT AND XSS: All data received by the application and can be
modified by the user, before making any kind of transaction with them
must be validated.

VIII. REFERENCES
-------------------------
http://www.uebimiau.org
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Manuel Garcia Cardenas (mgarcia (at) isecauditors (dot) com).

X. REVISION HISTORY
------------------------
March 15, 2013 1: Initial release

XI. DISCLOSURE TIMELINE
-------------------------
March 15, 2013: Vulnerability acquired by
Internet Security Auditors (www.isecauditors.com)
March 20, 2013: Sent to devel Manager.
March 21, 2013: Answer. After 4 years of previous version, the
developer
will publish new patched version in 3 days!
September 26, 2013: Ask to devel manager for feedback
October 09, 2013: After some months without feedback, we do a
full-disclosure

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security, penetration testing, security compliance
implementation and assessing. Our clients include some of the largest
companies in areas such as finance, telecommunications, insurance, ITC,
etc. We are

vendor independent provider with a deep expertise since 2001. Our
efforts in R&D include vulnerability research, open security project
collaboration and

whitepapers, presentations and security events participation and
promotion. For further information regarding our security services,
contact us.

XIV. FOLLOW US
-------------------------
You can follow Internet Security Auditors, news and security advisories at:
https://www.facebook.com/ISecAuditors
https://twitter.com/ISecAuditors
http://www.linkedin.com/company/internet-security-auditors
http://www.youtube.com/user/ISecAuditors
Login or Register to add favorites

File Archive:

August 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    15 Files
  • 2
    Aug 2nd
    22 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    11 Files
  • 7
    Aug 7th
    43 Files
  • 8
    Aug 8th
    42 Files
  • 9
    Aug 9th
    36 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    27 Files
  • 13
    Aug 13th
    18 Files
  • 14
    Aug 14th
    50 Files
  • 15
    Aug 15th
    33 Files
  • 16
    Aug 16th
    23 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    43 Files
  • 20
    Aug 20th
    29 Files
  • 21
    Aug 21st
    42 Files
  • 22
    Aug 22nd
    26 Files
  • 23
    Aug 23rd
    25 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close