Topic:          Arbitrary tags injection in victim's browser context

Announced:      2004-07-16
Credits:	Roman Medina-Heigl Hernandez (a.k.a. RoMaNSoFt) 
                <roman.AT.rs-labs.com>
Affects:        all versions before 20040603
Corrected:      openwebmail versions after 2.32 20040603

Patches:        http://openwebmail.org/openwebmail/download/cert/patches/SA-04:05/
                http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA-04:05/

I.   Background

     On 29.May.2004, Roman disclosed an important XSS vulnerability in 
     latest versions of the well known webmail package - SquirrelMail. 
     http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt

     Unfortunately, Open WebMail is also vulnerable to the same bug.

II.  Problem Description

     A vulnerability has been discovered in SM. Due to unsanitized user 
     input, a specially crafted e-mail being read by the victim using SM
     will make injection of arbitrary tags possible. 

III. Impact

     When correctly exploited, it will permit the execution of scripts 
     (JavaScript, VBScript, etc) running in the context of victim's browser.

     Compromise of webmail account, cookie theft or further exploitation 
     of any local existing vulnerability in browser (specially easy in 
     the case of MS-IE, which is still plenty of pending [unpatched] 
     sec-vulns) are only some examples of the possibilities.
     
IV.  Workaround

     No.

V.   Solution

     A. upgrade to the latest openwebmail-current.tar.gz

     B. or apply the patch in

     http://openwebmail.org/openwebmail/download/cert/patches/SA-04:05/
     http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA-04:05/