Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11281
HistoryFeb 03, 2006 - 12:00 a.m.

[Full-disclosure] Neomail Cross Site Scripting Vulnerability

2006-02-0300:00:00
vulners.com
12
JSON

Title: Neomail Cross Site Scripting

Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
Discovered: 24 january 2005
Published: 02 february 2006
MorX Security Research Team
http://www.morx.org

Service: Webmail Perl Client

Vendor: neomail / www.neocodesolutions.com

Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks

Severity: Medium/High

Details:

NeoMail is a free open-source perl web-based e-mail client that can be
installed on any UNIX mail server that is also running a web server. With
thousands of installations worldwide, neomail has many features like
Sending/receiving messages with multiple attachments, inline image
attachment display Friendly, attractive, icon-based user interface,
multiple language support, including English, Spanish, German, French,
Hungarian, Italian, Dutch, Polish, Portuguese, Norwegian, Romanian,
Russian, Slovak, and more can be added easily … configurable limits on
outgoing attachment size, folder disk usage, addressbook size… users can
import their address book from Outlook Express or Netscape Mail in CSV
format and more. neomail.pl is prone to cross-site scripting attacks. This
problem is due to a failure in the script to properly sanitize
user-supplied input. input can be passed in variable $date

Impact:

an attacker can exploit the vulnerable scripts to have arbitrary script
code executed in the browser of an authentified
neomail user in the context of the vulnerable website. resulting in the
theft of cookie-based authentication giving the
attacker full access to the victim's neomail email account as well as
other type of attacks.

Affected script with proof of concept exploit:

/neomail.pl?sessionid=XXXX-session-0.9565905XXXXXXXX&sort=date"><script>alert('vul')</script>&folder&action=displayheaders&firstmessage=1

Examples:

http://www.vulnerable-site.com/neomail.pl?sessionid=XXXX-session-0.9565905XXXXXXXX&amp;sort=date&quot;&gt;&lt;script&gt;alert&#40;&#39;vul&#39;&#41;&lt;/script&gt;&amp;folder=&amp;action=displayheaders&amp;firstmessage=1

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

JSON