Vendor:   Captaris, Inc.
Date:     January 29, 2005
Issue:    XSS in Infinite Mobile Delivery v2.6 Webmail
URL:      http://www.capataris.com
Advisory: http://www.lovebug.org/imd_advisory.txt


Issue:

The webmail portion of the latest (and final) release of Infinite Mobile
Delivery contains a Cross Site Scripting vulnerability.  In addition to
the XSS, an even smaller issue exists where a user can determine the
installation path of the client and where e-mails are stored.

A user once logged in can simply start writing scripting immediately after
their user name and it will be executed within the browser.

---

Example: http://www-webmailusersite-com/username/[XSS]

The server will respond with:

Unable to parse request for user blah:
[XSS]

---

Also, the server will return the installation path if an illegal windows
folder character or name is entered after 'Folder:' - For example, Windows
does not let you have folders containing < > * | : \ / ? or com1, com2,
etc.

Example: http://www-webmailusersite-com/username/Folder:?

The server will respond with:

Error creating file: [drive letter]:\file's\path\USERS\username\?.IDX


---


Solutions:

I am not aware of any solutions at this time.


Vendor Response:

The vendor was notified of the issue in November 2004.  They also told me
that Captaris is no longer developing Infinite Mobile Delivery and that
there probably won't be any changs implemented.  To the best of my
knowledge there will be no further releases and there is no fix available.

Credits:

The best University in Virginia (Virginia Tech) for providing me education
for the past 3.5 years and for having so much terrible cold weather which
has given me time to write this up.

Steven
steven@lovebug.org