OSVDB ID: 6514

Title: Multiple Webmail mime.php Content-Type XSS

Info

Disclosure
May 29, 2004

Discovery
May 22, 2004

Dates

Exploit
May 29, 2004

Solution
Unknown

Description

 Multiple Webmail products contain a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate Content-Type upon submission to the mime.php script (or whatever script controls header content-type). This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

 Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

 An upgrade is required to fix this vulnerability. Upgrade to the following versions depending on the product: Squirrelmail: 1.4.3 or 1.5.1 IMP: 3.2.4 OpenWebmail: 2.40 IlohaMail: 0.8.13 Sqwebmail: 4.0.5 BasiliX: 1.1.1_fix1

Products

SquirrelMail Project Team

Squirrelmail

 1.2.x
1.3.x
1.4.0
1.4.1
1.4.2
1.5.0

Horde Project

IMP

 3.2.3

Open Webmail Project

Open Webmail

 2.32
2.10
2.20
2.21
2.30

IlohaMail

IlohaMail

 0.8.12

Sam Varshavchik

SqWebMail

 4.0.4

BasiliX

BasiliX

 1.1.0
1.1.1
1.1.1_fix1

References

Credit
  • Román Medina-Heigl Hernández - romanBrand New Doo Doors-labs.com -


Direct URL: http://osvdb.org/36218