Calacode @Mail Webmail Filtering Engine HTML Injection Vulnerability

Bugtraq ID:	21708
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Dec 21 2006 12:00AM
Updated:	Jul 06 2007 08:47PM
Credit:	Philippe C. Caturegli from Netragard Research is credited with the discovery of this vulnerability.
Vulnerable:	CalaCode @Mail Webmail 4.51
Not Vulnerable:

Calacode @Mail Webmail Filtering Engine HTML Injection Vulnerability

Calacode @Mail is prone to an HTML-injection vulnerability because it fails to sufficiently sanitize user-supplied data.

An attacker can exploit this issue to execute arbitrary script code in the victim's browser, in the context of the affected site, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.

Calacode @Mail Webmail Filtering Engine HTML Injection Vulnerability

An attacker can exploit this issue by sending malicious email messages to victims.

The following proof-of-concept example is available:

• /data/vulnerabilities/exploits/21708.txt

Calacode @Mail Webmail Filtering Engine HTML Injection Vulnerability

Solution:
Reportedly, the vendor released a fix to this issue in patch version 4.61; Symantec has not confirmed this.

Please contact the vendor for more information.

Calacode @Mail Webmail Filtering Engine HTML Injection Vulnerability

References:

• @mail Webmail System (CalaCode)