_MAIN_ Exploit:

The XSS hole I developed the most is in addressbook.php. I was able to
inject and execute javascript code and after opening the addressbook
page there was no indication that I had changed anything (after
entering the HTML comment tags to get rid of some hanging code that my
javascript had made text).

The URL I crafted for the exploit is as follows:

http://<VULNERABLE
SITE>.net/webmail/src/addressbook.php?"><script>alert(document.cookie)</script><!--

If you execute the code without the HTML comment tag on the end it
leaves a nasty hanging bit of HTML code which is a clear indication
that something has gone awry to many users (however some may ignore it
as they don't understand it).

git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@3652 7612ce4b-ef26-0410-bec9-ea0150e637f0

diff --git a/src/addressbook.php b/src/addressbook.php
index 923f85ec7552a2c5c251185fec9b452d96fc7776..5742cdb28b8b032a0d9555aa57adc2aecaf0f4ef 100644 (file)
--- a/src/addressbook.php
+++ b/src/addressbook.php
@@ -75,6 +75,7 @@ $formerror = '';
 $abortform = false;
 $showaddrlist = true;
 $defselected  = array();
 $abortform = false;
 $showaddrlist = true;
 $defselected  = array();

+$form_url = 'addressbook.php';

 
 
 /* Handle user's actions */
 
 
 /* Handle user's actions */


@@ -167,7 +168,7 @@ if($REQUEST_METHOD == 'POST') {
                         $olddata = $abook->lookup($enick, $ebackend);
 
                         /* Display the "new address" form */
                         $olddata = $abook->lookup($enick, $ebackend);
 
                         /* Display the "new address" form */

-                        echo '<FORM ACTION="' . $PHP_SELF . '" METHOD="POST">' .
+                        echo '<FORM ACTION="' . $form_url . '" METHOD="POST">' .

                              "\n" .
                              html_tag( 'table',
                                 html_tag( 'tr',
                              "\n" .
                              html_tag( 'table',
                                 html_tag( 'tr',


@@ -204,7 +205,7 @@ if($REQUEST_METHOD == 'POST') {
                              'center', '', 'width="100%"' );
 
                             /* Display the "new address" form again */
                              'center', '', 'width="100%"' );
 
                             /* Display the "new address" form again */

-                            echo '<FORM ACTION="' . $PHP_SELF .
+                            echo '<FORM ACTION="' . $form_url .

                                  '" METHOD="POST">' . "\n" .
                                  html_tag( 'table',
                                      html_tag( 'tr',
                                  '" METHOD="POST">' . "\n" .
                                  html_tag( 'table',
                                      html_tag( 'tr',


@@ -276,7 +277,7 @@ if ($showaddrlist) {
 
     /* List addresses */
     if (count($alist) > 0) {
 
     /* List addresses */
     if (count($alist) > 0) {

-        echo '<FORM ACTION="' . $PHP_SELF . '" METHOD="POST">' . "\n";
+        echo '<FORM ACTION="' . $form_url . '" METHOD="POST">' . "\n";

         while(list($undef,$row) = each($alist)) {
     
             /* New table header for each backend */
         while(list($undef,$row) = each($alist)) {
     
             /* New table header for each backend */


@@ -367,7 +368,7 @@ if ($showaddrlist) {
 
 /* Display the "new address" form */
 echo '<a name="AddAddress"></a>' . "\n" .
 
 /* Display the "new address" form */
 echo '<a name="AddAddress"></a>' . "\n" .

-    '<FORM ACTION="' . $PHP_SELF . '" NAME=f_add METHOD="POST">' . "\n" .
+    '<FORM ACTION="' . $form_url . '" NAME=f_add METHOD="POST">' . "\n" .

     html_tag( 'table',
         html_tag( 'tr',
             html_tag( 'td', "\n". '<strong>' . sprintf(_("Add to %s"), $abook->localbackendname) . '</strong>' . "\n",
     html_tag( 'table',
         html_tag( 'tr',
             html_tag( 'td', "\n". '<strong>' . sprintf(_("Add to %s"), $abook->localbackendname) . '</strong>' . "\n",