Folder in webmail mailbox is vulnerable to Cross-Site Scripting (Reflective) in modoboa/modoboa-webmail

Valid

Reported on

Feb 16th 2023

Issue Description

• Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

• Jeffrey discovered when creating new folder in webmail it's vulnerable to Cross-Site Scripting (Reflective).

POC Link:

https://drive.google.com/file/d/12GElAaNOQotSfZU-huE-feDm34rniJmM/view?usp=share_link

Payload:

<a onmouseover="alert(1)">Jeffreylink</a>

Recommendation:

• Mark cookies as "Secure" and "HTTP-Only" where appropriate to minimize the impact of cross-site scripting attacks. • Before using any user-supplied data, validate its format and reject any characters that are not explicitly allowed (i.e. a white-list). This list should be as restrictive as possible. • Before using any data (stored or user-supplied) to generate web page content, escape all non alpha-numeric characters (i.e. output-validation). This is particularly important when the original source of data is beyond the control of the application. Even if the source of the data isn't performing input-validation, output-validation will still prevent XSS. This can be done by converting characters to “&#nn;” (ignore the quotes), where “nn” is the hexadecimal ASCII character number.

#References

Cross-Site Scripting OWASP http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29

Impact

• The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

• Users can be induced to issue the attacker's crafted request in various ways. For example, the attacker can send a victim a link containing a malicious URL in an email or instant message.

We are processing your report and will contact the modoboa/modoboa-webmail team within 24 hours. a month ago
Jeffrey G modified the report
a month ago
We have contacted a member of the modoboa/modoboa-webmail team and are waiting to hear back a month ago
Antoine Nguyen validated this vulnerability a month ago
Jeffrey G has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Jeffrey G
a month ago

Researcher

Hi @Antoine Nguyen,

Thank you for validating my report.

May I request for a CVE?

Regards, Jeffreey

Antoine Nguyen
a month ago

PR with a fix: https://github.com/modoboa/modoboa-webmail/pull/245

Jeffrey G
a month ago

Researcher

Hi @Antoine Nguyen,

Could you help to update the modoboa-webmail demo page so I can proceed to test, please?

Thank you.

Jeffrey

Antoine Nguyen
a month ago

Hi, I've updated the demo site so you can check it

Jeffrey G
a month ago

Researcher

Hi Maintainer,

The test demo page appears to be down.

Cheers.

Jeffrey

Antoine Nguyen
a month ago

My bad. It's up again.

Jeffrey G
a month ago

Researcher

No problem mate, i will give a quick check.

Cheers! Jeffrey

Jeffrey G
a month ago

Researcher

Hi Maintainer,

Per checking, it's still vulnerable to reflective XSS.

Here's the POC video link: https://drive.google.com/file/d/1sIlyp1Za1HhpYJhPnN6zawsACEhsmhlM/view?usp=share_link

Recommendation:

•  Make sure that the filename must not contain any special characters like “;”, “:”, “>”, “<”, “/”, “\”, “.”, “*”, “%” etc. 

•  You can also limit the size of the folder name when creating.

Hope this helps.

Cheers, Jeffrey

Jeffrey G
a month ago

Researcher

Make sure that the Folder Name must not contain any special characters like “;”, “:”, “>”, “<”, “/”, “\”, “.”, “*”, “%” etc.

Antoine Nguyen
a month ago

Thanks and indeed the fix was incomplete. I've updated the demo (make sure to hard refresh before you make a new test)

Jeffrey G
a month ago

Researcher

Thanks mate. Will re-test it again and revert the result.

Cheers!

Jeffrey

Jeffrey G
a month ago

Researcher

Hi Maintainer,

When I tested the XSS reflected, it appears to be fixed now, but I noticed that when creating a folder name the I can still create a name that contains a special characters, although the special characters got removed after I refresh the page.

On my second attempt, I tried and used other XSS payload such Jeffrey'"><img src=x onerror=alert(1) just to double check. However, the webmail is no longer accessible, it appears that payload use caused a denial service and received an error message

Error: STATUS command error: BAD [b'Error in IMAP command STATUS: Missing \'"\' (0.001 + 0.000 secs).']

I have tried to logout and login, and used other browser, but am still getting the above error message when I tried to view webmail tab page.

Please help to reset the demo page.

Cheers Jeffrey

Antoine Nguyen
a month ago

Have you on demo site using 'user@demo.local' account? Because I can access the webmail on my side.

Jeffrey G
a month ago

Researcher

Hi Mate, yes, i was doing testing using 'user@demo.local' account. I can access the webmail now.

Will continue to do re-testing and revert the result.

Cheers, Jeffrey

Jeffrey G
a month ago

Researcher

Hi Mate, I can confirm that it has been fixed already. You may proceed to close this.

It was nice working with you securing modoboa-webmail.

Thank you for your time

Cheers! Jeffrey

Antoine Nguyen marked this as fixed in 1.7.2 with commit f43789 a month ago
Antoine Nguyen has been awarded the fix bounty
This vulnerability will not receive a CVE
Antoine Nguyen published this vulnerability a month ago
to join this conversation