![[LWN Logo]](/images/lcorner.png)
![[LWN.net]](/images/Included.png)
|
|
|
|
From: ppp-design <security@ppp-design.de> To: bugtraq@securityfocus.com Subject: NOCC: cross-site-scripting bug Date: Tue, 14 May 2002 15:33:29 +0200 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ppp-design found the following cross-site-scripting bug in NOCC: Details - ------- Product: NOCC Affected Version: 0.9.5 and maybe all versions before Immune Version: none, authors are working on it OS affected: all OS with php and mysql Vendor-URL: http://nocc.sourceforge.net/ Vendor-Status: informed, working on a new version Security-Risk: high Remote-Exploit: Yes Introduction - ------------ NOCC is a webmail client written in PHP. It provides webmail access to IMAP and POP3 accounts. Unfortunatly the software displays a message without checking for any malicous code. More details - ------------ A mail (even a text mail) is rendered as html. So a possible blackhat can include any malicous code in an email and get full access to any mailbox easily. Proof-of-concept - ---------------- Just write an email to any NOCC user with the following text inside: <script>alert(document.cookie)</script> When the user is reading his mail a popup will come up showing his session id. Of course there are many other possibilities to make use of this bug. Temporary-fix - ------------- Users could disable Javascript but because there are still other possiblilities to enter malicious code, this will only stop this proof-of-concept from working. Fix - --- None at the moment, but the authors are allready working on a new version. Security-Risk - ------------- Because the software is widly spreaded according to their website, and any blackhat can easily get full access to any emailaccount that is managed using NOCC, we are rating the securtiy risk to high. Vendor status - ------------- We have informed the core developers, who reacted fastly and in a recommedable way. They entered the bug to their bugzilla system. So there is no need for us to wait with this publication, allthough there is no fix ready until now. Disclaimer - ---------- All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned. This advisory can be found online at: http://www.ppp-design.de/advisories.php - -- ppp-design http://www.ppp-design.de Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE84RIpDXh7YLO1RRoRAgx7AKDqa7GcWbA63m5VC8OckzjrOItdEQCgvBbU 1A8yDzFcsP7YdapdLjGP24A= =Apoo -----END PGP SIGNATURE-----