Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

[Full-disclosure] DVD Rental System multiple XSS and CSRF vulnerabilities

[Aria-Security.Net] Gallery In A Box Username & Password Parameters SQL Injection

[Aria-Security.Net] Next Gen Portfolio Manager SQL Injection

la-nai cms_v1.2.14 - Remote SQL Injection

From:	r0t <krustevs_(at)_googlemail.com>
Date:	03.08.2007
Subject:	OpenWebMail Multiple XSS vuln.

OpenWebMail Multiple XSS  vuln.

###############################################
Vuln. discovered by : r0t
Date: 2 August 2007
vendor:openwebmail.org
orginal advisory:
http://pridels-team.blogspot.com/2007/08/openwebmail-multiple-xss-vuln.html
affected versions:2.52 20060831 and previous
###############################################


OpenWebMail contains  multiple flaws that allows a remote Cross-Site
Scripting attacks.

1. file "openwebmail-main.pl"

Input passed to the "searchtype" and "longpage" and "page" parameter isn't
properly sanitised before being returned to the user.


2. file "openwebmail-prefs.pl"


Input passed to the:
"prefs_caller",
"userfirsttime",
"page",
"sort",
"folder",
"message_id"
parameter isn't properly sanitised before being returned to the user.


3. file "openwebmail-send.pl"

Input passed to the:
"compose_caller",
"msgdatetype",
"keyword",
"searchtype",
"folder",
"page",
"sort"
parameter isn't properly sanitised before being returned to the user.


4. file "openwebmail-folder.pl"

Input passed to the:
"folder",
"page",
"sort"
parameter isn't properly sanitised before being returned to the user.



5. file "openwebmail-webdisk.pl"

Input passed to the:
"searchtype",
"page",
"filesort",
"singlepage",
"showhidden",
"showthumbnail",
"message_id"
parameter isn't properly sanitised before being returned to the user.


6. file "openwebmail-advsearch.pl"

Input passed to the "folder" parameter isn't properly sanitised before being
returned to the user.


7. file "openwebmail-abook.pl"

Input passed to the:

"abookcollapse",
"abooksearchtype",
"abooksort",
"abooklongpage",
"abookpage",
"message_id",
"searchtype",
"msgdatetype",
"sort",
"page",
"rootxowmuid",
"listviewmode"

parameter isn't properly sanitised before being returned to the user.


This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.

Note:
For manual testing use:
%22%3Cscript%3Ealert%28%27r0t%27%29%3C%2Fscri
pt%3E


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################