Uebimiau index.php Cross-Site Scripting Vulnerability



Uebimiau is an universal webmail developed in PHP. This issue is due  
to a failure in the application to properly sanitize user-supplied  
input. Attackers may exploit this issue via a web client. An attacker  
may leverage this issue to have arbitrary script code execute in the  
browser of an unsuspecting user in the context of the affected site.  
This may help the attacker steal cookie-based authentication  
credentials and launch other attacks. A successful exploit could allow  
an attacker to compromise the application, access or modify data, or  
exploit vulnerabilities in the underlying database implementation.



Hackers Center Security Group (http://www.hackerscenter.com)
Credit: Doz


Risk: Medium
Class: Input Validation Error
Remote: YES
Local: NO


Vendor: http://www.uebimiau.org/
Version: 2.7.10



Attackers can exploit these issues via a web client.



XSS:


www.site.com/imap/index.php?lid=en_UK&tid=default&f_user=XSS




Demo:


http://demo.uebimiau.org/imap/index.php?lid=en_UK


Security researcher? Join us: mail Zinho at zinho at hackerscenter.com

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.