Info

Disclosure

Jul 28, 2005

Discovery

Jul 02, 2005

Dates

Exploit

Jul 28, 2005

Solution

Unknown

Description

@Mail contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate the 'year' or 'type' variables upon submission to printcal.pl script. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Calacode has released a patch for version 4.11 to address this vulnerability.

Products

Calacode	@Mail	4.11
		4.03

References

Secunia Advisory ID: 16252
Related OSVDB ID: 18338 18339 18340
Other Advisory URL: http://lostmon.blogspot.com/2005/07/mail-multiple-variable-cross-site.html
Vendor URL: http://www.atmail.com/

Credit

Lostmon Lords - Lostmongmail.com -

Direct URL: http://osvdb.org/36218