OpenWebMail Multiple XSS vuln.
###############################################
Vuln. discovered by : r0t
Date: 2 August 2007
vendor:openwebmail.org
orginal advisory:
http://pridels-team.blogspot.com/2007/08/openwebmail-multiple-xss-vuln.html
affected versions:2.52 20060831 and previous
###############################################
OpenWebMail contains multiple flaws that allows a remote Cross-Site
Scripting attacks.
Input passed to the "searchtype" and "longpage" and "page" parameter isn't
properly sanitised before being returned to the user.
Input passed to the:
"prefs_caller",
"userfirsttime",
"page",
"sort",
"folder",
"message_id"
parameter isn't properly sanitised before being returned to the user.
Input passed to the:
"compose_caller",
"msgdatetype",
"keyword",
"searchtype",
"folder",
"page",
"sort"
parameter isn't properly sanitised before being returned to the user.
Input passed to the:
"folder",
"page",
"sort"
parameter isn't properly sanitised before being returned to the user.
Input passed to the:
"searchtype",
"page",
"filesort",
"singlepage",
"showhidden",
"showthumbnail",
"message_id"
parameter isn't properly sanitised before being returned to the user.
Input passed to the "folder" parameter isn't properly sanitised before being
returned to the user.
Input passed to the:
"abookcollapse",
"abooksearchtype",
"abooksort",
"abooklongpage",
"abookpage",
"message_id",
"searchtype",
"msgdatetype",
"sort",
"page",
"rootxowmuid",
"listviewmode"
parameter isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
Note:
For manual testing use:
%22%3Cscript%3Ealert%28%27r0t%27%29%3C%2Fscript%3E
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################