BID:25942

MailBee WebMail Pro Multiple Cross Site Scripting Vulnerabilities

Info

MailBee WebMail Pro Multiple Cross Site Scripting Vulnerabilities

Bugtraq ID:	25942
Class:	Input Validation Error
CVE:	CVE-2007-5290
Remote:	Yes
Local:	No
Published:	Oct 05 2007 12:00AM
Updated:	May 07 2015 05:35PM
Credit:	Ivan Sanchez and Maximiliano Soler are credited with the discovery of these vulnerabilities.
Vulnerable:	AfterLogic MailBee WebMail Pro 3.4 AfterLogic MailBee WebMail Pro 3.3 AfterLogic MailBee WebMail Pro 3.2 AfterLogic MailBee WebMail Pro 3.1

Not Vulnerable:	AfterLogic MailBee WebMail Pro 4.0

Discussion

MailBee WebMail Pro Multiple Cross Site Scripting Vulnerabilities

MailBee WebMail Pro is prone to multiple cross-site scripting vulnerabilities because the application fails to sufficiently sanitize user-supplied input.

An attacker can exploit these issues to steal cookie-based authentication credentials and launch other attacks.

These issues affect MailBee WebMail Pro 3.4 and prior versions.

Exploit / POC

MailBee WebMail Pro Multiple Cross Site Scripting Vulnerabilities

To exploit these issues, an attacker must entice an unsuspecting victim into following a malicious URI.

The following proof-of-concept URIs are available:

http://www.example.com/[PATH]/login.php?mode=[XSS]
http://www.example.com/[PATH]/default.asp?mode=advanced_login&mode2=[XSS]

Solution / Fix

MailBee WebMail Pro Multiple Cross Site Scripting Vulnerabilities

Solution:
The vendor has released an update to address these issues. Please contact the vendor for information on how to obtain and apply this update.

References

MailBee WebMail Pro Multiple Cross Site Scripting Vulnerabilities

References:

Vendor Homepage (Afterlogic)
Reporting Vulnerable Public Webmail ([email protected])