![]() This proof of concept (PoC) shows how it is possible to trick SquirrelMail in sending arbitrary e-mails on the behalf of a SquirrelMail user. Nowadays HTML e-mails are sadly widespread so it is reasonable to assume that most users are willing to properly display them. The HTML visualization of messages in SquirrelMail is not enabled by default, users of the stable version need to enable it globally whereas in the development version it can also be toggled for single messages. To increase the chances of success the JavaScript payload should look like this: // get the real window ![]() Luckily it is possible to obtain the original frame using the window.opener property and possibly close the new window afterwards. The HTML sanitizer adds the target=”_blank” attribute to links, in Firefox this means that even javascript: URLs are evaluated in a new tab. This solution has been tested with all major browsers and requires the user to click on an anchor element: Īrbitrarily complex code can be deployed by evaluating a decoded Base64 string.Īdditionally, to mimic the look and feel of a regular link, the following attributes of the text element can be used: fill="#0000cc" text-decoration="underline" cursor="pointer" This solution only works with Firefox and Edge and requires no additional interaction from of the user: Īrbitrarily complex code can be deployed by using the Base64 format of the Data URL scheme. SquirrelMail version 1.5.2 (trunk r14747) Two methods have been devised, to maximize the chances of success it may be advisable to employ both.Īn independent security researcher, Andrea Cardaci, has reported this vulnerability to SSD Secure Disclosure program. Moreover, in this context can be self-closing and the lack of closing tag is enough to deceive the sanitizer. ![]() This variant exposes the href attribute as part of the xlink namespace (for the latter it allows to specify the resource containing the script code) therefore it can be accessed with xlink:href which is ignored by SquirrelMail. It is possible to bypass these checks by using the SVG counterpart of the and elements. In particular, the element is deleted and the href attribute can only assume certain schemes (e.g., not javascript:) otherwise it is replaced with a void image URL. The HTML sanitizer uses a blacklist approach based on tag and attributes names to recognize potentially dangerous HTML code and decide how to fix it, for example, attributes starting with on are removed as they usually represent events. It is likely that even prior versions are affected since this does not appear to be a regression but merely an insufficient implementation. This basically grants the attacker the same privileges of the authenticated victim, in particular this enables to (among other things): send e-mail messages on the behalf of the victim, fetch conversations from folders, delete or otherwise manage messages, log the victim out of SquirrelMail, etc. An input sanitization vulnerability that can be exploited to perform stored cross-site scripting (XSS) attacks has been discovered.Ī remote attacker can send a specially crafted e-mail containing malicious HTML and execute arbitrary JavaScript code in the context of the vulnerable webmail interface when the user displays the message. SquirrelMail allows to display HTML messages provided that non-safe fragments are redacted.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |