NeoMail neomail.pl sort Parameter XSS

🗓️ 16 Feb 2006 00:00:00Reported by TenableType

The NeoMail webmail application in Perl is vulnerable to XSS via the 'sort' parameter in the 'neomail.pl' script, allowing theft of session cookies and compromise of user accounts

Reporter	Title	Published	Views	Family All 5
CVE	CVE-2006-0536	4 Feb 200600:00	–	cve
Cvelist	CVE-2006-0536	4 Feb 200600:00	–	cvelist
EUVD	EUVD-2006-0543	7 Oct 202500:30	–	euvd
NVD	CVE-2006-0536	4 Feb 200600:06	–	nvd
Prion	Cross site scripting	4 Feb 200600:06	–	prion

Source	Link
securityfocus	www.securityfocus.com/archive/1/423901/30/0/threaded
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security
#


include('deprecated_nasl_level.inc');
include('compat.inc');

if (description) {
  script_id(20931);
  script_version("1.16");

  script_cve_id("CVE-2006-0536");
  script_bugtraq_id(16480);

  script_name(english:"NeoMail neomail.pl sort Parameter XSS");
  script_summary(english:"Checks for sort parameter cross-site scripting vulnerability in NeoMail");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a Perl application that is affected by
a cross-site scripting issue." );
 script_set_attribute(attribute:"description", value:
"The remote host is running NeoMail, an open source webmail application
written in Perl. 

The installed version of this software fails to validate the 'sort'
parameter in the 'neomail.pl' script before using it to generate
dynamic content.  An attacker may be able to exploit this issue to
inject arbitrary HTML and script code into a user's browser, to be
executed within the security context of the affected application,
resulting in the theft of session cookies and a compromise of a user's
account." );
 script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/423901/30/0/threaded" );
 script_set_attribute(attribute:"solution", value:
"Upgrade to NeoMail version 1.28 or later." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2006/02/16");
 script_set_attribute(attribute:"vuln_publication_date", value: "2006/02/03");
 script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/19");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value: "cpe:/a:neomail:neomail");
script_end_attributes();


  script_category(ACT_GATHER_INFO);
  script_family(english:"CGI abuses : XSS");

  script_copyright(english:"This script is Copyright (C) 2006-2021 Tenable Network Security, Inc.");

  script_dependencies("http_version.nasl");
  script_exclude_keys("Settings/disable_cgi_scanning");
  script_require_ports("Services/www", 80);

  exit(0);
}

include("global_settings.inc");
include("misc_func.inc");
include("http.inc");


port = get_http_port(default:80);


# Loop through directories.
foreach dir (cgi_dirs()) {
  # Look for the version number in the banner.
  r = http_send_recv3(method: "GET", item:string(dir, "/neomail.pl"), port:port);
  if (isnull(r)) exit(0);

  # There's a problem if the version's < 1.28.
  if (egrep(pattern:">NeoMail</a> version (0\..+|1\.([01][0-9]|2[0-7])([^0-9].*)?)<BR>", string: r[2])) {
    security_warning(port);
    set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
    exit(0);
  }
}

19 Jan 2021 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 24.3

EPSS0.00613