============================================= INTERNET SECURITY AUDITORS ALERT 2006-010 - Original release date: September 28, 2006 - Last revised: December 1, 2006 - Discovered by: Vicente Aguilera Diaz - Severity: 3/5 ============================================= I. VULNERABILITY ------------------------- XSS vulnerability in error page of ISMail. II. BACKGROUND ------------------------- ISMail is a webmail system. Programmed in HTML and PHP, it is designed to work with any imap server. ISMail requires that PHP 4.2+, compiled with and IMAP and Session support, be installed on the server that runs it. You have a choice of data-store backends (xml, encrypted xml, mysql, and postgresql are included, each requiring their respective PHP modules), and miscellaneous other options that can make the Inside Systems Mail experience a little friendlier. Unlike most other webmail programs, Inside Systems Mail is both quick and easy to use. The layout, complete with address book and folder options, is simple and familiar to most users. For administrators, the data-stores and options are easily extensible so that Inside Systems Mail can be dropped in nearly any configuration with minimal extra coding. The product homepage is: http://www.insidesystems.net/projects/project.php?projectid=4 III. DESCRIPTION ------------------------- The error page "error.php" receives a parameter facilitated in the querystring that shows the error message. This parameter ("error") can be manipulated by an attacker to inject arbitrary script/HTML code. This is dangerous because it's possible to realize XSS's attacks to obtain the session cookies of authenticated users and to spoof his session, or deface the error page. IV. PROOF OF CONCEPT ------------------------- Example of XSS attack: http:////error.php?error=XSS%20attack%3Cscript%3Ealert(document.cookie);%3C/script%3E V. BUSINESS IMPACT ------------------------- An attacker can spoof the session of other authenticated users allowing to access to his mail, or deface the error page. VI. SYSTEMS AFFECTED ------------------------- This vulnerability has been tested in the last version of ISMail (2.0, released on 2005-01-20) Possibly all versions are affected by this vulnerability. VII. SOLUTION ------------------------- Update version from the repository. VIII. REFERENCES ------------------------- http://www.insidesystems.net/projects/project.php?projectid=4 IX. CREDITS ------------------------- This vulnerability has been discovered and reported by Vicente Aguilera Diaz (vaguilera=at=isecauditors=dot=com). X. REVISION HISTORY ------------------------- September 28, 2006: Initial release. XI. DISCLOSURE TIMELINE ------------------------- September 27, 2006 Vulnerability acquired by Vicente Aguilera Diaz Internet Security Auditors (www.isecauditors.com) September 28, 2006 Initial vendor notification sent. October 1, 2006 The vendor fixed the vulnerability in the repository. XII. LEGAL NOTICES ------------------------- The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors, S.L. accepts no responsibility for any damage caused by the use or misuse of this information.