Topic:      Arbitrary tags injection in victim's browser context

Announced:      2005-09-07
  Updated:      2006-04-28
  Credits:      s3cure <s3cure.AT.poczta.fm>
                r0t <krustevs.AT.googlemail.com>
  Affects:      all versions before 20060502
Corrected:      openwebmail versions after 2.52 20060502

Patches:        http://openwebmail.org/openwebmail/download/cert/patches/SA-05:03
                http://openwebmail.acatysmoof.com/download/cert/patches/SA-05:03

I.   Background

     OpenWebMail does not sanitize an illegal sessionid value before displaying
     it in the error message page. This creates a Cross Site Scripting (XSS)
     vulnerability because any code passed as an illegal sessionid value will
     be executed by the browser when the error page is displayed.

II.  Problem Description

     A vulnerability has been discovered in OWM due to missing sanitation of
     input supplied to as an illegal "sessionid" value.

III. Impact

     When correctly exploited, it will permit the execution of scripts
     (JavaScript, VBScript, etc) running in the context of victim's browser.

     Compromise of webmail account, cookie theft or further exploitation
     of any local existing vulnerability in browser (specially easy in
     the case of MS-IE, which is still plenty of pending [unpatched]
     sec-vulns) are only some examples of the possibilities.

IV.  Workaround

     No.

V.   Solution

     A. upgrade to the latest openwebmail-current.tar.gz

     B. or apply the patch in

     http://openwebmail.org/openwebmail/download/cert/patches/SA-05:03
     http://openwebmail.acatysmoof.com/download/cert/patches/SA-05:03