EmuMail 5.0 Email Form - Script Injection

EDB-ID:

21878


Author:

FVS

Type:

webapps


Platform:

CGI

Date:

2002-09-29


source: https://www.securityfocus.com/bid/5824/info

Emumail is an open source web mail application. It is available for the Unix, Linux, and Microsoft Windows operating systems.

It has been reported that EmuMail does not properly sanitize input. Under some conditions, it is possible to pass an email containing script or html code through the EmuMail web mail interface. This would result in execution of the script code in the security context of the EmuMail site.

Entering the string below into the email address field on the main form:

<script>alert(document.cookie)</script>