BID:9748

CalaCode @mail Webmail System Cross-Site Scripting Vulnerability

Info

CalaCode @mail Webmail System Cross-Site Scripting Vulnerability

Bugtraq ID:	9748
Class:	Input Validation Error
CVE:
Remote:	Yes
Local:	No
Published:	Feb 26 2004 12:00AM
Updated:	Feb 26 2004 12:00AM
Credit:	Discovery is credited to Dr_insane <[email protected]>.
Vulnerable:	CalaCode @mail Webmail System 3.64

Not Vulnerable:

Discussion

CalaCode @mail Webmail System Cross-Site Scripting Vulnerability

It has been reported that @mail may be prone to a cross-site scripting vulnerability that may allow an attacker to execute HTML or script code in a user's browser. The issue is reported to exist due to insufficient sanitization of user-supplied data via the 'Displayed Name' of 'util.pl' script.

It has been reported that this issue affects @mail version 3.64, however, earlier versions may also be vulnerable.

Exploit / POC

CalaCode @mail Webmail System Cross-Site Scripting Vulnerability

No exploit is required.

Solution / Fix

CalaCode @mail Webmail System Cross-Site Scripting Vulnerability

Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.

References

CalaCode @mail Webmail System Cross-Site Scripting Vulnerability

References:

@MAIL 3.64 SERVER Multiple Vulnerabilities (Dr_insane)
@mail Webmail System (CalaCode)