2013-009: Multiple Vulnerabilities in Telaen <= 1.3.0

Original release date: March 15th, 2013
Last revised: June 4th, 2013
Discovered by: Manuel García Cardenas
Severity: 4,8/10 (CVSS Base Score)
CVE-ID: CVE-2013-2621, CVE-2013-2623, CVE-2013-2624

BACKGROUND

Telaen is a webmail reader application supporting both IMAP and POP3 protocols. It can be installed without dependence of any PHP's extra modules or a separate database. It is Open source software published under GNU General Public License (GPL).

The last version of Telaen is 1.3.0 released on January 2012.

DESCRIPTION

Telaen 1.3.0 and lower versions contain a flaw that allows a remote redirection attack. This flaw exists because the application does not properly sanitise the file "redir.php". This allows an attacker to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choice.

Aditionaly, it has been detected a reflected XSS vulnerability in Telaen 1.3.0 and lower versions, that allows the execution of arbitrary HTML/JavaScript code to be executed in the context of the victim user's browser. The code injection is done through the parameter "f_email" in the page index.php.

Due to the errors caused by the application Telaen 1.3.0 and lower versions, we can display the full webapp installation path.

VIDEO DEMO

PROOF OF CONCEPT 

REDIRECT: http://vulnerablesite.com/telaen/redir.php?http://www.malicious-site.com

XSS: http://vulnerablesite.com/telaen/index.php?tid=default&lid=en_UK&f_email="><script>alert("XSS")</script>

FULL PATH DISCLOSURE: http://vulnerablesite.com/telaen/inc/init.php

BUSINESS IMPACT

REDIRECT: An attacker can redirect any user to any malicious website. Below I have mentioned the vulnerable URL.

XSS: An attacker can execute arbitrary HTML or JavaScript code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

FULL PATH DISCLOSURE: An attacker can obtain the full path to the applitation and if the webroot is getting leaked, attackers may abuse the knowledge and use it in combination with file inclusion vulnerabilites to steal configuration files regarding the web application or the rest of the operating system.

SYSTEMS AFFECTED

Versions of Telaen < v1.3.1.

SOLUTION

REDIRECT AND XSS: All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated.

FULL PATH DISCLOSURE: Turn off display errors in the configuration and unify the error pages.

REVISION HISTORY

March 15, 2013: Initial release.
June 4, 2013: Last release

DISCLOSURE TIMELINE

  • March 15, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
  • March 20, 2013: Sent to Devel Team.
  • March 28, 2013: Schedule for new version.
  • April 4, 2013: New version published.
  • June 3, 2013: Advisory sent to lists.

REFERENCES

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.