[VIM] Openwebmail: 2 XSS vulns not one, and some version hints
Steven M. Christey
coley at mitre.org
Mon Jun 26 20:09:57 EDT 2006
Various VDB's appear to be combining two distinct XSS reports from the
OpenWebMail vendor, and/or are not being precise about the
distinction. Making this more difficult appears to be the lack of
clearly labeled versions.
The changelog is:
http://openwebmail.org/openwebmail/doc/changes.txt
Relevant items are:
06/18/2006
----------
3. fix additional XSS exploits in openwebmail-read.pl due to the
from address not being sanitized properly
...
05/12/2006
----------
2. modify some additional openwebmailerror calls that need to
display HTML, to make them XSS attack safe.
...
5. fix additional XSS possible exploits caused by the To and From
name and address not being sanitized before display
We can sort of infer version numbers from here:
http://openwebmail.org/openwebmail/download/release/
But the 02-May-2006 date for 2.52 is out of alignment with the above
dates in the changelog.
Anyway, back to the differences between 06/18/2006 and 05/12/2006.
It comes down to the diffs (credits to FrSIRT for pointing in the
direction of the SVN archives).
For the 06/18/2006 version, we have cleansing of the $eaddr variable
in openwebmail-read.pl:
http://openwebmail.acatysmoof.com/dev/svn/index.pl/openwebmail/diff/trunk/src/cgi-bin/openwebmail/openwebmail-read.pl?rev1=236;rev2=237
For the 05/12/2006 version, the affected file is openwebmail-main.pl,
as seen here:
http://openwebmail.acatysmoof.com/dev/svn/index.pl/openwebmail/diff/trunk/src/cgi-bin/openwebmail/openwebmail-main.pl?rev1=235;rev2=236
I don't know about item (2) from the 05/12/2006 changelog - maybe it's
defensive or maybe there's a specific attack vector.
- Steve
More information about the VIM
mailing list