Folder in webmail mailbox is vulnerable to Cross-Site Scripting (Reflective) in modoboa/modoboa-webmail
Feb 16th 2023
• Jeffrey discovered when creating new folder in webmail it's vulnerable to Cross-Site Scripting (Reflective).
• Mark cookies as "Secure" and "HTTP-Only" where appropriate to minimize the impact of cross-site scripting attacks. • Before using any user-supplied data, validate its format and reject any characters that are not explicitly allowed (i.e. a white-list). This list should be as restrictive as possible. • Before using any data (stored or user-supplied) to generate web page content, escape all non alpha-numeric characters (i.e. output-validation). This is particularly important when the original source of data is beyond the control of the application. Even if the source of the data isn't performing input-validation, output-validation will still prevent XSS. This can be done by converting characters to “&#nn;” (ignore the quotes), where “nn” is the hexadecimal ASCII character number.
Cross-Site Scripting OWASP http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
• The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.
• Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message.
Hi @Antoine Nguyen,
Thank you for validating my report.
May I request for a CVE?
PR with a fix: https://github.com/modoboa/modoboa-webmail/pull/245
Hi @Antoine Nguyen,
Could you help to update the modoboa-webmail demo page so I can proceed to test, please?
Hi, I've updated the demo site so you can check it
The test demo page appears to be down.
My bad. It's up again.
No problem mate, i will give a quick check.
Per checking, it's still vulnerable to reflective XSS.
Here's the POC video link: https://drive.google.com/file/d/1sIlyp1Za1HhpYJhPnN6zawsACEhsmhlM/view?usp=share_link
• Make sure that the filename must not contain any special characters like “;”, “:”, “>”, “<”, “/”, “\”, “.”, “*”, “%” etc. • You can also limit the size of the folder name when creating.
Hope this helps.
Make sure that the Folder Name must not contain any special characters like “;”, “:”, “>”, “<”, “/”, “\”, “.”, “*”, “%” etc.
Thanks and indeed the fix was incomplete. I've updated the demo (make sure to hard refresh before you make a new test)
Thanks mate. Will re-test it again and revert the result.
When I tested the XSS reflected, it appears to be fixed now, but I noticed that when creating a folder name the I can still create a name that contains a special characters, although the special characters got removed after I refresh the page.
On my second attempt, I tried and used other XSS payload such Jeffrey'"><img src=x onerror=alert(1) just to double check. However, the webmail is no longer accessible, it appears that payload use caused a denial service and received an error message
Error: STATUS command error: BAD [b'Error in IMAP command STATUS: Missing \'"\' (0.001 + 0.000 secs).']
I have tried to logout and login, and used other browser, but am still getting the above error message when I tried to view webmail tab page.
Please help to reset the demo page.
Have you on demo site using 'firstname.lastname@example.org' account? Because I can access the webmail on my side.
Hi Mate, yes, i was doing testing using 'email@example.com' account. I can access the webmail now.
Will continue to do re-testing and revert the result.
Hi Mate, I can confirm that it has been fixed already. You may proceed to close this.
It was nice working with you securing modoboa-webmail.
Thank you for your time