Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17670
HistoryAug 03, 2007 - 12:00 a.m.

OpenWebMail Multiple XSS vuln.

2007-08-0300:00:00
vulners.com
23

OpenWebMail Multiple XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 2 August 2007
vendor:openwebmail.org
orginal advisory:
http://pridels-team.blogspot.com/2007/08/openwebmail-multiple-xss-vuln.html
affected versions:2.52 20060831 and previous
###############################################

OpenWebMail contains multiple flaws that allows a remote Cross-Site
Scripting attacks.

  1. file "openwebmail-main.pl"

Input passed to the "searchtype" and "longpage" and "page" parameter isn't
properly sanitised before being returned to the user.

  1. file "openwebmail-prefs.pl"

Input passed to the:
"prefs_caller",
"userfirsttime",
"page",
"sort",
"folder",
"message_id"
parameter isn't properly sanitised before being returned to the user.

  1. file "openwebmail-send.pl"

Input passed to the:
"compose_caller",
"msgdatetype",
"keyword",
"searchtype",
"folder",
"page",
"sort"
parameter isn't properly sanitised before being returned to the user.

  1. file "openwebmail-folder.pl"

Input passed to the:
"folder",
"page",
"sort"
parameter isn't properly sanitised before being returned to the user.

  1. file "openwebmail-webdisk.pl"

Input passed to the:
"searchtype",
"page",
"filesort",
"singlepage",
"showhidden",
"showthumbnail",
"message_id"
parameter isn't properly sanitised before being returned to the user.

  1. file "openwebmail-advsearch.pl"

Input passed to the "folder" parameter isn't properly sanitised before being
returned to the user.

  1. file "openwebmail-abook.pl"

Input passed to the:

"abookcollapse",
"abooksearchtype",
"abooksort",
"abooklongpage",
"abookpage",
"message_id",
"searchtype",
"msgdatetype",
"sort",
"page",
"rootxowmuid",
"listviewmode"

parameter isn't properly sanitised before being returned to the user.

This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.

Note:
For manual testing use:
%22%3Cscript%3Ealert%28%27r0t%27%29%3C%2Fscript%3E

###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################