Bugtraqmailing list archives

By Date

By Thread

NOCC: cross-site-scripting bug

-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1ppp-design found the following cross-site-scripting bug in NOCC:Details- -------Product: NOCCAffected Version: 0.9.5 and maybe all versions beforeImmune Version: none, authors are working on itOS affected: all OS with php and mysqlVendor-URL:http://nocc.sourceforge.net/Vendor-Status: informed, working on a new versionSecurity-Risk: highRemote-Exploit: YesIntroduction- ------------NOCC is a webmail client written in PHP. It provides webmail access toIMAP and POP3 accounts. Unfortunatly the software displays a messagewithout checking for any malicous code.More details- ------------A mail (even a text mail) is rendered as html. So a possible blackhatcan include any malicous code in an email and get full access to anymailbox easily.Proof-of-concept- ----------------Just write an email to any NOCC user with the following text inside:<script>alert(document.cookie)</script>When the user is reading his mail a popup will come up showing hissession id. Of course there are many other possibilities to make use ofthis bug.Temporary-fix- -------------Users could disable Javascript but because there are still otherpossiblilities to enter malicious code, this will only stop thisproof-of-concept from working.Fix- ---None at the moment, but the authors are allready working on a new version.Security-Risk- -------------Because the software is widly spreaded according to their website, andany blackhat can easily get full access to any emailaccount that ismanaged using NOCC, we are rating the securtiy risk to high.Vendor status- -------------We have informed the core developers, who reacted fastly and in arecommedable way. They entered the bug to their bugzilla system. Sothere is no need for us to wait with this publication, allthough thereis no fix ready until now.Disclaimer- ----------All information that can be found in this advisory is believed to betrue, but maybe it isn't. ppp-design can not be held responsible for theuse or missuse of this information. Redistribution of this text is onlypermitted if the text has not been altered and the original authorppp-design (http://www.ppp-design.de) is mentioned.This advisory can be found online at:http://www.ppp-design.de/advisories.php- --ppp-designhttp://www.ppp-design.dePublic-Key:http://www.ppp-design.de/pgp/ppp-design.ascFingerprint: 5B02 0AD7 A176 3A4F CE22  745D 0D78 7B60 B3B5 451A-----BEGIN PGP SIGNATURE-----Version: GnuPG v1.0.6 (GNU/Linux)Comment: Weitere Infos: siehehttp://www.gnupg.orgiD8DBQE84RIpDXh7YLO1RRoRAgx7AKDqa7GcWbA63m5VC8OckzjrOItdEQCgvBbU1A8yDzFcsP7YdapdLjGP24A==Apoo-----END PGP SIGNATURE-----

By Date

By Thread

Current thread:

• NOCC: cross-site-scripting bugppp-design (May 14)