OpenWebMail Multiple XSS vuln. ############################################### Vuln. discovered by : r0t Date: 2 August 2007 vendor:openwebmail.org affected versions:2.52 20060831 and previous ############################################### OpenWebMail contains multiple flaws that allows a remote Cross-Site Scripting attacks. 1. file "openwebmail-main.pl" Input passed to the "searchtype" and "longpage" and "page" parameter isn't properly sanitised before being returned to the user. 2. file "openwebmail-prefs.pl" Input passed to the: "prefs_caller", "userfirsttime", "page", "sort", "folder", "message_id" parameter isn't properly sanitised before being returned to the user. 3. file "openwebmail-send.pl" Input passed to the: "compose_caller", "msgdatetype", "keyword", "searchtype", "folder", "page", "sort" parameter isn't properly sanitised before being returned to the user. 4. file "openwebmail-folder.pl" Input passed to the: "folder", "page", "sort" parameter isn't properly sanitised before being returned to the user. 5. file "openwebmail-webdisk.pl" Input passed to the: "searchtype", "page", "filesort", "singlepage", "showhidden", "showthumbnail", "message_id" parameter isn't properly sanitised before being returned to the user. 6. file "openwebmail-advsearch.pl" Input passed to the "folder" parameter isn't properly sanitised before being returned to the user. 7. file "openwebmail-abook.pl" Input passed to the: "abookcollapse", "abooksearchtype", "abooksort", "abooklongpage", "abookpage", "message_id", "searchtype", "msgdatetype", "sort", "page", "rootxowmuid", "listviewmode" parameter isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Note: For manual testing use: %22%3Cscript%3Ealert%28%27r0t%27%29%3C%2Fscript%3E ############################################### Solution: Edit the source code to ensure that input is properly sanitised. ###############################################