6.0.0-beta1
7/23/25

[#5063] HTML INJECT Vulenrability
Summary HTML INJECT Vulenrability
Queue IMP
Queue Version 4.1
Type Bug
State No Feedback
Priority 2. Medium
Owners
Requester asamad (at) arpatech (dot) com
Created 03/05/2007 (6715 days ago)
Due
Updated 04/13/2007 (6676 days ago)
Assigned 03/05/2007 (6715 days ago)
Resolved 04/13/2007 (6676 days ago)
Github Issue Link
Github Pull Request
Milestone
Patch No

History
04/13/2007 03:16:46 PM Chuck Hagenbuch State ⇒ No Feedback
 
03/06/2007 10:16:53 AM Jan Schneider Comment #4 Reply to this comment
I still don't see how you could inject HTML code anywhere. Please 
provide us with a proof of concept.
03/06/2007 06:53:52 AM asaamd (at) arpatech (dot) com Comment #3 Reply to this comment
Yes it does allows a phishing attack and would end up in abused site 
but when an

authenticated used would click on a malformed url the html would be 
injected in the same

session which could lead to html code inject on the client side.



Abdus Samad

ARPATECH
03/05/2007 02:00:17 PM Jan Schneider Comment #2
State ⇒ Feedback
Reply to this comment
I don't see how this allows HTML injection. Users' are redirected to 
sites provided by the url parameter, which could be abused for 
phishing attacks, and we should probably fix this the same way like we 
recently did in horde/index.php.

But I can't see how this allow injection. And please always check the 
latest version when reporting a security issue.
03/05/2007 09:27:43 AM asamad (at) arpatech (dot) com Comment #1
Priority ⇒ 2. Medium
Type ⇒ Bug
Summary ⇒ HTML INJECT Vulenrability
Queue ⇒ IMP
State ⇒ Unconfirmed
Reply to this comment
Horde IMP is prone to an HTML injection vulnerability. This issue is 
due to a failure in

the application to properly sanitize variable 'url'.



Attacker-supplied HTML and script code would be executed in the 
context of the affected

Web site, potentially allowing for theft of cookie-based 
authentication credentials. An

attacker could also exploit this issue to control how the site is 
rendered to the user;

other attacks are also possible.



This would effect even an unauthenticated user which could be directed 
to a malicious web page resulting in information theft or even system 
compromise by injecting Trojans.



PROOF OF CONCEPT CODE:





http://<HOST>/index.php?url=<any web.html>



A prompt responce will be highly appreciated.



Thankyou

Abdus Samad

Advanced Research Projects and Technologies


Saved Queries