ID PACKETSTORM:43584 Type packetstorm Reporter _6mO_HaCk Modified 2006-02-04T00:00:00
Description
`Title: Neomail Cross Site Scripting
Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
Discovered: 24 january 2005
Published: 02 february 2006
MorX Security Research Team
http://www.morx.org
Service: Webmail Perl Client
Vendor: neomail / www.neocodesolutions.com
Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks
Severity: Medium/High
Details:
NeoMail is a free open-source perl web-based e-mail client that can be
installed on any UNIX mail server that is also running a web server. With
thousands of installations worldwide, neomail has many features like
Sending/receiving messages with multiple attachments, inline image
attachment display Friendly, attractive, icon-based user interface,
multiple language support, including English, Spanish, German, French,
Hungarian, Italian, Dutch, Polish, Portuguese, Norwegian, Romanian,
Russian, Slovak, and more can be added easily ... configurable limits on
outgoing attachment size, folder disk usage, addressbook size... users can
import their address book from Outlook Express or Netscape Mail in CSV
format and more. neomail.pl is prone to cross-site scripting attacks. This
problem is due to a failure in the script to properly sanitize
user-supplied input. input can be passed in variable $date
Impact:
an attacker can exploit the vulnerable scripts to have arbitrary script
code executed in the browser of an authentified
neomail user in the context of the vulnerable website. resulting in the
theft of cookie-based authentication giving the
attacker full access to the victim's neomail email account as well as
other type of attacks.
Affected script with proof of concept exploit:
/neomail.pl?sessionid=XXXX-session-0.9565905XXXXXXXX&sort=date"><script>alert('vul')</script>&folder&action=displayheaders&firstmessage=1
Examples:
http://www.vulnerable-site.com/neomail.pl?sessionid=XXXX-session-0.9565905XXXXXXXX&sort=date"><script>alert('vul')</script>&folder=&action=displayheaders&firstmessage=1
Disclaimer:
this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.
`
{"hash": "b5935eb914582764174ecbbbc770ee739bbfd5ab64996d6290a548e39394558d", "sourceHref": "https://packetstormsecurity.com/files/download/43584/neomailXSS.txt", "title": "neomailXSS.txt", "id": "PACKETSTORM:43584", "published": "2006-02-04T00:00:00", "description": "", "modified": "2006-02-04T00:00:00", "sourceData": "`Title: Neomail Cross Site Scripting \n \nAuthor: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org> \nDiscovered: 24 january 2005 \nPublished: 02 february 2006 \nMorX Security Research Team \nhttp://www.morx.org \n \nService: Webmail Perl Client \n \nVendor: neomail / www.neocodesolutions.com \n \nVulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks \n \nSeverity: Medium/High \n \nDetails: \n \nNeoMail is a free open-source perl web-based e-mail client that can be \ninstalled on any UNIX mail server that is also running a web server. With \nthousands of installations worldwide, neomail has many features like \nSending/receiving messages with multiple attachments, inline image \nattachment display Friendly, attractive, icon-based user interface, \nmultiple language support, including English, Spanish, German, French, \nHungarian, Italian, Dutch, Polish, Portuguese, Norwegian, Romanian, \nRussian, Slovak, and more can be added easily ... configurable limits on \noutgoing attachment size, folder disk usage, addressbook size... users can \nimport their address book from Outlook Express or Netscape Mail in CSV \nformat and more. neomail.pl is prone to cross-site scripting attacks. This \nproblem is due to a failure in the script to properly sanitize \nuser-supplied input. input can be passed in variable $date \n \nImpact: \n \nan attacker can exploit the vulnerable scripts to have arbitrary script \ncode executed in the browser of an authentified \nneomail user in the context of the vulnerable website. resulting in the \ntheft of cookie-based authentication giving the \nattacker full access to the victim's neomail email account as well as \nother type of attacks. \n \n \nAffected script with proof of concept exploit: \n \n/neomail.pl?sessionid=XXXX-session-0.9565905XXXXXXXX&sort=date\"><script>alert('vul')</script>&folder&action=displayheaders&firstmessage=1 \n \nExamples: \n \nhttp://www.vulnerable-site.com/neomail.pl?sessionid=XXXX-session-0.9565905XXXXXXXX&sort=date\"><script>alert('vul')</script>&folder=&action=displayheaders&firstmessage=1 \n \nDisclaimer: \n \nthis entire document is for eductional, testing and demonstrating purpose \nonly. Modification use and/or publishing this information is entirely on \nyour OWN risk. The information provided in this advisory is to be \nused/tested on your OWN machine/Account. I cannot be held responsible for \nany of the above. \n`\n", "reporter": "_6mO_HaCk", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "4d1d507d23a86b8c55024f8eed4c982c"}, {"key": "modified", "hash": "1c84a978bc9f500bec3cf43e2c25e48b"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "1c84a978bc9f500bec3cf43e2c25e48b"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "4b551459b281a3c792d674177206bf37"}, {"key": "sourceData", "hash": "47b0b6ea0408cdd51d629a102590ab0e"}, {"key": "sourceHref", "hash": "83fce89c2179b60226181216ee8f1422"}, {"key": "title", "hash": "a15357b84a0856bd6a3bae999b24499e"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "cvss": {"vector": "NONE", "score": 0.0}, "references": [], "type": "packetstorm", "cvelist": [], "history": [], "bulletinFamily": "exploit", "objectVersion": "1.2", "edition": 1, "href": "https://packetstormsecurity.com/files/43584/neomailXSS.txt.html", "lastseen": "2016-11-03T10:29:22", "viewCount": 0, "enchantments": {"vulnersScore": 0.0}}