Vulnerabilities Disclosure

Multiple XSS Vulnerabilities in Atmailopen (ver. 1.04)

Dognædis Ref.: DGS-SEC-1

CVE Ref: CVE-2011-4540

Release Date: 2011/11/22

Discover Credits: CodeV - Code Analyzer

Bulletin Author(s): HTrovao

Contact: irt@dognaedis.com

Type: Cross Site Scripting

Level: High (Low/High/Critical)

CVSS: 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Vulnerable Application: Atmailopen (ver. 1.04)

Overview:
AtMail is an open source webmail client written in PHP. It aims to provide a elegant Ajax webmail client for existing IMAP mailservers, with less bloat and a focus on an intuitive, simple user interface.

Scope:

File: /ldap.php Vulnerable Argument(s): $func (from $_GET['func'])

Code:
line 60: die("the function <b>'$func'</b> is not defined");		

Proof(s) of Concept:
GET: http://<app_base>/search.php?func=<script>alert('XSS');</script>

File: /search.php Vulnerable Argument(s): $func (from $_GET['func'])

Code:
line 60: die("the function <b>'$func'</b> is not defined");	

Proof(s) of Concept:
GET: http://<app_base>/search.php?func=<script>alert('XSS');</script>

Description:
The referred vulnerabilities could be exploited through XSS (Cross-Site-Scripting) attacks.
Ultimately, the attacker could take complete control of the victims web-browser.
In a successful attack, the malicious script would be executed with the authenticated user permissions.

Impact:
Generally, by exploiting this kind of vulnerability, it might be possible to achieve possible attack vectors to various kinds of attacks such as:
- Session/Cookie theft
- Account Hijacking
- Identity theft
- Accessing confidential resources
- Accessing pay content
- Account Denial of service

Resolution:
Aiming a correct resolution of the identified vulnerability, the data obtained through the $_GET['func'] input argument should be properly sanitized for HTML and following ECMAS usage.

Official Solution:
At the moment, there is no official solution for the reported vulnerabilities.
The developer said that the company moved onto a completely new code base for Atmail 6.x versions, and this older version has not been actively developed for some time now, but the reported problems will be corrected as soon as possible.

External References:
http://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
http://en.wikipedia.org/wiki/Cross-site_scripting
http://en.wikipedia.org/wiki/Code_injection

Download the Vulnerability Report (PDF)

© Copyright 2015 CodeV