imd_advisory.txt

`Vendor: Captaris, Inc.  
Date: January 29, 2005  
Issue: XSS in Infinite Mobile Delivery v2.6 Webmail  
URL: http://www.capataris.com  
Advisory: http://www.lovebug.org/imd_advisory.txt  
  
  
Issue:  
  
The webmail portion of the latest (and final) release of Infinite Mobile  
Delivery contains a Cross Site Scripting vulnerability. In addition to  
the XSS, an even smaller issue exists where a user can determine the  
installation path of the client and where e-mails are stored.  
  
A user once logged in can simply start writing scripting immediately after  
their user name and it will be executed within the browser.  
  
---  
  
Example: http://www-webmailusersite-com/username/[XSS]  
  
The server will respond with:  
  
Unable to parse request for user blah:  
[XSS]  
  
---  
  
Also, the server will return the installation path if an illegal windows  
folder character or name is entered after 'Folder:' - For example, Windows  
does not let you have folders containing < > * | : \ / ? or com1, com2,  
etc.  
  
Example: http://www-webmailusersite-com/username/Folder:?  
  
The server will respond with:  
  
Error creating file: [drive letter]:\file's\path\USERS\username\?.IDX  
  
  
---  
  
  
Solutions:  
  
I am not aware of any solutions at this time.  
  
  
Vendor Response:  
  
The vendor was notified of the issue in November 2004. They also told me  
that Captaris is no longer developing Infinite Mobile Delivery and that  
there probably won't be any changs implemented. To the best of my  
knowledge there will be no further releases and there is no fix available.  
  
Credits:  
  
The best University in Virginia (Virginia Tech) for providing me education  
for the past 3.5 years and for having so much terrible cold weather which  
has given me time to write this up.  
  
Steven  
[email protected]  
`