OpenWebMail Multiple XSS vuln.
###############################################
Vuln. discovered by : r0t
Date: 2 August 2007
vendor:openwebmail.org
affected versions:2.52 20060831 and previous
###############################################
OpenWebMail contains multiple flaws that allows a remote Cross-Site Scripting attacks.
1. file "openwebmail-main.pl"
Input passed to the "searchtype" and "longpage" and "page" parameter isn't properly sanitised before being returned to the user.
2. file "openwebmail-prefs.pl"
Input passed to the:
"prefs_caller",
"userfirsttime",
"page",
"sort",
"folder",
"message_id"
parameter isn't properly sanitised before being returned to the user.
3. file "openwebmail-send.pl"
Input passed to the:
"compose_caller",
"msgdatetype",
"keyword",
"searchtype",
"folder",
"page",
"sort"
parameter isn't properly sanitised before being returned to the user.
4. file "openwebmail-folder.pl"
Input passed to the:
"folder",
"page",
"sort"
parameter isn't properly sanitised before being returned to the user.
5. file "openwebmail-webdisk.pl"
Input passed to the:
"searchtype",
"page",
"filesort",
"singlepage",
"showhidden",
"showthumbnail",
"message_id"
parameter isn't properly sanitised before being returned to the user.
6. file "openwebmail-advsearch.pl"
Input passed to the "folder" parameter isn't properly sanitised before being returned to the user.
7. file "openwebmail-abook.pl"
Input passed to the:
"abookcollapse",
"abooksearchtype",
"abooksort",
"abooklongpage",
"abookpage",
"message_id",
"searchtype",
"msgdatetype",
"sort",
"page",
"rootxowmuid",
"listviewmode"
parameter isn't properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Note:
For manual testing use:
%22%3Cscript%3Ealert%28%27r0t%27%29%3C%2Fscript%3E
###############################################
Solution:
Edit the source code to ensure that input is properly sanitised.
###############################################