NOCC: XSS PROGRAM: NOCC VENDOR: Olivier Cahagne et al. HOMEPAGE: http://nocc.sourceforge.net/ VULNERABLE VERSIONS: 0.9.5, possibly others IMMUNE VERSIONS: 0.9.5 with my patch applied SEVERITY: high LOGIN REQUIRED: no DESCRIPTION: "NOCC is a simple and fast Web-based e-mail reader which can handle POP3, SMTP, and IMAP servers. It is written with PHP4, and uses sessions, has low requirements (no database, frames), and is easy to install. It also features multi-language support, MIME attachment decoding/encoding, and the ability to display HTML messages." (direct quote from the program's project page at Freshmeat) NOCC is published under the terms of the GNU General Public License. It is one of the packages in Debian GNU/Linux and one of FreeBSD's ports. SUMMARY: NOCC has got several cross-site scripting holes when displaying e-mail messages. They allow an attacker to take over a victim's e-mail account and/or perform actions against the victim's will, by simply sending a malicious e-mail message to the victim. TECHNICAL DETAILS: 1) If the e-mail message's MIME type is text/plain, the program doesn't remove any HTML code from the mail body. It is shown "live". 2) When the victim selects "View header", no HTML codes are removed from mail headers like Subject and Date (yes, you can write whatever you like in the Date header). COMMUNICATION WITH VENDOR: The vendor was contacted on the 9th and the 10th of July. They haven't released any official fixed version yet. MY PATCH: I wrote a patch for these security holes, and it is included in this mail as an attachment. I have patched against version 0.9.5. // Ulf Harnhammar VSU Security ulfh@update.uu.se "I saw the worst minds of my generation / getting their political information from tabloids / listening to Savage Garden's greatest hits / getting married and having kids at 25 just 'cause the neighbours did / and building the worst administrative web-based members interface ever known to man" (To B.)