atmail-xss.txt
Posted on 14 February 2007
######################################################### @Mail Search.pl keywords variable cross-site scripting vendor url:http://www.atmail.com Advisory:http://lostmon.blogspot.com/2007/02/ mail-searchpl-keywords-variable-cross.html vendor notify:yes exploit available: yes ######################################################### @Mail is a feature rich Email solution that allows users to access email-resources via the web or a variety of wireless devices. The software incorporates a complete email-server package to manage and host user email at your domain(s) @Mail contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate user input in search form in html/[languaje folder]/help/search.html upon submision to search.pl script the keywords variable are afected by this flaw uopn submision to search.pl script too.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. ############# versions ############# All of this versions Are vulnerables: @mail 4.61 @mail 4.6 @mail 4.51 @Mail 4.03 WebMail for Windows @Mail 4.11 - Linux / FreeBSD / Solaris / HP-UX / OS-X / it is also posible other versions are vulnerable. ################# solution ################# no solution was available at this time !!! ################# Timeline ################# Discovered:02-07-2005 vendor notify:11-02-2007 vendor response:-------- disclosure: 13-02-2007 ############### Examples ############### go to : http://localhost/parse.pl?file=html/english/help/search.html and insert in the search form this script: "><script>alert(document.forms.keywords)</script> or exploit directly to search.pl http://localhost/search.pl?func=searchhelp&keywords= "><script>alert(document.forms.keywords)</script>&Submit2=Search ########################
