[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
XSS in Horde IMP <=4.3.7, fetchmailprefs.php
Horde IMP v4.3.7 and lower are subject to a cross site scripting (XSS)
The fetchmailprefs.php script fails to properly sanitize user supplied
input to the 'fm_id' URL parameter. If exploited, injected code will be
persistent (persistent XSS) and will execute once the user (manually)
accesses mail fetching preferences.
The following URL can be used as a proof of concept:
Prior authentication to IMP is required for immediate exploitation.
Follow-up authentication is also possible if the victims' IMP
configuration has folder maintenance options disabled.
This issue has been fixed by Jan Schneider of the Horde Project:
According to him, Horde IMP v4.3.8 (or a release candidate) which fixes
this issue is to be released within the week. Release announcements will
likely be communicated through
Credits for this discovery:
Naumann IT Security Consulting, Berlin, Germany
Thanks for reading,
Naumann IT Security Consulting
17FE F47E CE81 FC3A 8D6C 85A0 9FA1 A4BD 277F 060C
Inhaber: Moritz Naumann Â StNr. 22/652/12010 Â USt-IdNr. DE266365097