<<< Date Index >>>     <<< Thread Index >>>

I have discovered small xss error in open webmail 2.41



Discovered by s3cure

Risk: small

When we are logged on account we see:

http://site.site/cgi-bin/openwebmail/openwebmail-main.pl?sessionid=yourlogin*-session-0.274744641575129&action=listmessages_afterlogin

Now we can do small xss:

http://site.site/cgi-bin/openwebmail/openwebmail-main.pl?sessionid=yourlogin*-session-here
 xss&action=listmessages_afterlogin

Ofcourse we can do a lots of other things but ... It's now your job.