Users login

Create an account »


Users login

Home » Hacking News » cross-site-scripting bug in NOCC

cross-site-scripting bug in NOCC

by Nikola Strahija on May 14th, 2002 NOCC is a webmail client written in PHP. It provides webmail access to IMAP and POP3 accounts. Unfortunatly the software displays a message without checking for any malicous code.

More details
- ------------
A mail (even a text mail) is rendered as html. So a possible blackhat
can include any malicous code in an email and get full access to any
mailbox easily.

- ----------------
Just write an email to any NOCC user with the following text inside:


When the user is reading his mail a popup will come up showing his
session id. Of course there are many other possibilities to make use of
this bug.

- -------------
Users could disable Javascript but because there are still other
possiblilities to enter malicious code, this will only stop this
proof-of-concept from working.

- ---
None at the moment, but the authors are allready working on a new version.

- -------------
Because the software is widly spreaded according to their website, and
any blackhat can easily get full access to any emailaccount that is
managed using NOCC, we are rating the securtiy risk to high.

Vendor status
- -------------
We have informed the core developers, who reacted fastly and in a
recommedable way. They entered the bug to their bugzilla system. So
there is no need for us to wait with this publication, allthough there
is no fix ready until now.

- ----------
All information that can be found in this advisory is believed to be
true, but maybe it isn't. ppp-design can not be held responsible for the
use or missuse of this information. Redistribution of this text is only
permitted if the text has not been altered and the original author
ppp-design ( is mentioned.

This advisory can be found online at:

- --

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »