lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <3435.68.250.39.121.1138941487.squirrel@www.morx.org>
Date: Fri Feb  3 05:41:41 2006
From: simo at morx.org (simo@...x.org)
Subject: Outblaze Cross Site Scripting Vulnerability

Title: outblaze Cross Site Scripting

Author: Simo Ben youssef aka _6mO_HaCk <simo_at_morx_org>
Discovered: 23 january 2005
Published: 02 february 2006
MorX Security Research Team
http://www.morx.org

Service: Webmail manager

Vendor: outblaze / www.outblaze.com

Vulnerability: Cross Site Scripting / Cookie-Theft / Relogin attacks

Severity: Medium/High

Details:

With over 40 million mailboxes under Outblaze management, Outblaze
provided enhanced messaging services to telcos, service providers, VARs,
Carriers and Corporations on an outsoucing basis, The core product is an
advanced email system with several available ancillary services.
throw.main outblaze script is prone to cross-site scripting attacks.
This problem is due to a failure in the application to properly sanitize
user-supplied input. input can be passed in variable $file

Impact:

an attacker can exploit the vulnerable scripts to have arbitrary script
code executed in the browser of an authentified outblaze user in the
context of the vulnerable website. resulting in the theft of cookie-based
authentication giving the attacker full access to the victim's email
account as well as other type of attacks.


Affected script with proof of concept exploit:

/scripts/common/throw.main?file=<BODY%20ONLOAD=alert('vul')>

Examples:

http://mymail.linuxmail.org/scripts/common/throw.main?file=<BODY%20ONLOAD=alert('vul')>
http://www.hackermail.com/scripts/common/throw.main?file=<BODY%20ONLOAD=alert('vul')>
http://mymail.operamail.com/scripts/common/throw.main?file=<BODY%20ONLOAD=alert('vul')>
http://mail01.mail.com/scripts/common/throw.main?file=<BODY%20ONLOAD=alert('vul')>
http://super.japan.com/scripts/common/throw.main?file=<BODY%20ONLOAD=alert('vul')>

screen capture:

http://www.morx.org/mailXSS.jpg

Disclaimer:

this entire document is for eductional, testing and demonstrating purpose
only. Modification use and/or publishing this information is entirely on
your OWN risk. The information provided in this advisory is to be
used/tested on your OWN machine/Account. I cannot be held responsible for
any of the above.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ