Thursday 2 August 2007

OpenWebMail Multiple XSS vuln.

###############################################
Vuln. discovered by : r0t
Date: 2 August 2007
vendor:openwebmail.org
affected versions:2.52 20060831 and previous
###############################################


OpenWebMail contains multiple flaws that allows a remote Cross-Site Scripting attacks.

1. file "openwebmail-main.pl"

Input passed to the "searchtype" and "longpage" and "page" parameter isn't properly sanitised before being returned to the user.


2. file "openwebmail-prefs.pl"


Input passed to the:
"prefs_caller",
"userfirsttime",
"page",
"sort",
"folder",
"message_id"
parameter isn't properly sanitised before being returned to the user.


3. file "openwebmail-send.pl"

Input passed to the:
"compose_caller",
"msgdatetype",
"keyword",
"searchtype",
"folder",
"page",
"sort"
parameter isn't properly sanitised before being returned to the user.


4. file "openwebmail-folder.pl"

Input passed to the:
"folder",
"page",
"sort"
parameter isn't properly sanitised before being returned to the user.



5. file "openwebmail-webdisk.pl"

Input passed to the:
"searchtype",
"page",
"filesort",
"singlepage",
"showhidden",
"showthumbnail",
"message_id"
parameter isn't properly sanitised before being returned to the user.


6. file "openwebmail-advsearch.pl"

Input passed to the "folder" parameter isn't properly sanitised before being returned to the user.


7. file "openwebmail-abook.pl"

Input passed to the:

"abookcollapse",
"abooksearchtype",
"abooksort",
"abooklongpage",
"abookpage",
"message_id",
"searchtype",
"msgdatetype",
"sort",
"page",
"rootxowmuid",
"listviewmode"
parameter isn't properly sanitised before being returned to the user.


This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Note:
For manual testing use:
%22%3Cscript%3Ealert%28%27r0t%27%29%3C%2Fscript%3E


###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################

No comments: