NOCC: XSS


PROGRAM: NOCC
VENDOR: Olivier Cahagne et al.
HOMEPAGE: http://nocc.sourceforge.net/
VULNERABLE VERSIONS: 0.9.5, possibly others
IMMUNE VERSIONS: 0.9.5 with my patch applied
SEVERITY: high
LOGIN REQUIRED: no


DESCRIPTION:

"NOCC is a simple and fast Web-based e-mail reader which can handle
POP3, SMTP, and IMAP servers. It is written with PHP4, and uses
sessions, has low requirements (no database, frames), and is easy
to install. It also features multi-language support, MIME attachment
decoding/encoding, and the ability to display HTML messages."

(direct quote from the program's project page at Freshmeat)

NOCC is published under the terms of the GNU General Public
License. It is one of the packages in Debian GNU/Linux and one of
FreeBSD's ports.


SUMMARY:

NOCC has got several cross-site scripting holes when displaying
e-mail messages. They allow an attacker to take over a victim's
e-mail account and/or perform actions against the victim's will,
by simply sending a malicious e-mail message to the victim.


TECHNICAL DETAILS:

1) If the e-mail message's MIME type is text/plain, the program
doesn't remove any HTML code from the mail body. It is shown "live".

2) When the victim selects "View header", no HTML codes are removed
from mail headers like Subject and Date (yes, you can write whatever
you like in the Date header).


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 9th and the 10th of July. They
haven't released any official fixed version yet.


MY PATCH:

I wrote a patch for these security holes, and it is included in
this mail as an attachment. I have patched against version 0.9.5.


// Ulf Harnhammar
   VSU Security
   ulfh@update.uu.se


"I saw the worst minds of my generation / getting their political
 information from tabloids / listening to Savage Garden's greatest
 hits / getting married and having kids at 25 just 'cause the
 neighbours did / and building the worst administrative web-based
 members interface ever known to man" (To B.)