[Zeffie-Users] Fw: [SA14253] Open WebMail Login Page Cross-Site
Scripting Vulnerability
Franklin S Werren
webmaster at bagpipes.net
Tue Feb 15 00:04:28 EST 2005
----- Original Message -----
From: "Secunia Security Advisories" <sec-adv at secunia.com>
To: <admin at bagpipes.net>
Sent: Monday, February 14, 2005 2:26 PM
Subject: [SA14253] Open WebMail Login Page Cross-Site Scripting
Vulnerability
>
> TITLE:
> Open WebMail Login Page Cross-Site Scripting Vulnerability
>
> SECUNIA ADVISORY ID:
> SA14253
>
> VERIFY ADVISORY:
> http://secunia.com/advisories/14253/
>
> CRITICAL:
> Less critical
>
> IMPACT:
> Cross Site Scripting
>
> WHERE:
>>From remote
>
> SOFTWARE:
> Open WebMail 2.x
> http://secunia.com/product/3167/
>
> DESCRIPTION:
> Oriol Torrent Santiago has reported a vulnerability in Open WebMail,
> which can be exploited by malicious people to conduct cross-site
> scripting attacks.
>
> Input passed to the domain name parameter in the login page is not
> properly sanitised before being returned to users. This can be
> exploited to execute arbitrary HTML and script code in a user's
> browser session in context of a vulnerable site.
>
> SOLUTION:
> The vulnerability has been fixed in the CVS repository.
>
> PROVIDED AND/OR DISCOVERED BY:
> Oriol Torrent Santiago
>
> ----------------------------------------------------------------------
>
> About:
> This Advisory was delivered by Secunia as a free service to help
> everybody keeping their systems up to date against the latest
> vulnerabilities.
>
> Subscribe:
> http://secunia.com/secunia_security_advisories/
>
> Definitions: (Criticality, Where etc.)
> http://secunia.com/about_secunia_advisories/
>
>
> Please Note:
> Secunia recommends that you verify all advisories you receive by
> clicking the link.
> Secunia NEVER sends attached files with advisories.
> Secunia does not advise people to install third party patches, only
> use those supplied by the vendor.
>
> ----------------------------------------------------------------------
>
> Unsubscribe: Secunia Security Advisories
> http://secunia.com/sec_adv_unsubscribe/?email=admin%40bagpipes.net
>
> ----------------------------------------------------------------------
>
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Anti-Virus.
> Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005
>
--
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.300 / Virus Database: 265.8.7 - Release Date: 2/10/2005
More information about the Zeffie-Users
mailing list