[VIM] prvable vendor ACK for OpenWebMail issue

Steven M. Christey coley at mitre.org
Thu May 4 00:29:34 EDT 2006 

FYI...  Brian, hope you didn't create 8 or 9 OSVDB's yet ;-)

- Steve


======================================================
Name: CVE-2006-2190
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2190
Acknowledged: yes changelog
Announced: 20060427
Flaw: XSS
Reference: MISC:http://pridels.blogspot.com/2006/04/open-webmail-251-xss-vuln.html
Reference: MLIST:[owm-announce] 20060502 OpenWebMail version 2.52
Reference: URL:http://openwebmail.acatysmoof.com/archive/html/owm-announce/owm-announce.200605/msg00000.html
Reference: CONFIRM:http://openwebmail.acatysmoof.com/dev/svn/index.pl/openwebmail/log/trunk/?rev=233&limit=33
Reference: CONFIRM:http://openwebmail.acatysmoof.com/dev/svn/index.pl/openwebmail/diff/trunk/src/cgi-bin/openwebmail/shares/ow-shared.pl?rev1=232;rev2=233
Reference: SECUNIA:16734
Reference: URL:http://secunia.com/advisories/16734
Reference: XF:openwebmail-multiple-scripts-xss(26105)
Reference: URL:http://xforce.iss.net/xforce/xfdb/26105

Cross-site scripting (XSS) vulnerability in ow-shared.pl in
OpenWebMail (OWM) 2.51 and earlier allows remote attackers to inject
arbitrary web script or HTML via the sessionid parameter in (1)
openwebmail-send.pl, (2) openwebmail-advsearch.pl, (3)
openwebmail-folder.pl, (4) openwebmail-prefs.pl, (5)
openwebmail-abook.pl, (6) openwebmail-read.pl, (7) openwebmail-cal.pl,
and (8) openwebmail-webdisk.pl.  NOTE: the openwebmail-main.pl vector
is already covered by CVE-2005-2863.


Analysis:
ACKNOWLEDGEMENT: The vendor changelog says "What's new in 2.52 ... a
number of security vulnerabilities have been addressed in this
release."  This is not sufficient itself, but the 2006/05/02 entry in
the changelog says "fix a bug that arbitary XSS code may be executed
by passing script in the sessionid value, because the sessionid was
not sanitized before it was displayed in the error output.  (reported
by Jose Alves..."  Despite the fact that Alves is not the same name as
the original discloser of this issue, the similarity in attack vectors
and close correlation of disclosure dates show that threse are the
same issues.  In addition, the diff for ow-shared.pl clearly shows
XSS-related quoting, and ow-shared.pl is included in at least
openwebmail-prefs.pl.

More information about the VIM mailing list