Bugtraq mailing list archives
Cross-Site Scripting Vuln...
From: InterWN Labs <interwn () interwn nl>
Date: 24 Jan 2002 13:01:03 -0000
Hello All. This is ANOTHER css vuln that has been found in web-based e-mail sites. Its not some high profile site but its vulnerable none the less. I have an email address at www.iraqmail.com and it is possible to embed any amount of code into the body of the page. There are 2 things you need to do first. The first thing you must do is register an account at www.iraqmail.com Secondly you must send an email to anyone. In the body of the page after the mail has been sent it should say: Your message has been submitted If you look in the address space there should be a url along the lines of: http://www.iraqmail.com/Account/Mailbox/INBOX.h tml? Info=Your+message+has+been+submitted&SID= 131832-Pv5fIj5GobKp6ipfPks6& You simply replace "Your+message+has+been+submitted" with any code and it will appear in the source of the page. http://www.iraqmail.com/Account/Mailbox/INBOX.h tml?Info=<script>alert('InterWN Labs') </script>&SID=131832-Pv5fIj5GobKp6ipfPks6& That will pop up an alert box with the name of our security group. Im sure someone could find some far more clever ways to exploit this. Thats it. Thanx. --philer www.interwn.nl www.ugcia.net
Current thread:
- Cross-Site Scripting Vuln... InterWN Labs (Jan 24)