Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RS-2004-2: "Content-Type" XSS vulnerability affecting other webmail systems
From: Roman Medina-Heigl Hernandez <roman () rs-labs com>
Date: Mon, 05 Jul 2004 20:28:16 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


  Hello,

  On 29.May.2004, I disclosed an important XSS vulnerability in latest
versions of a well-known webmail: SquirrelMail. Upon publication I
received the notice that other important webmails were also vulnerable
to the same bug. Indeed the same exploits released for SquirrelMail
worked without any changes in these systems. I decided to contact
several other webmail vendors and ask directly to check their software
and confirm or deny the vulnerability.

  The purpose of this brief advisory is to provide you with the
collected info in an objective and summarized way.

  PS: Sorry for the big delay.

 Saludos,
 --Roman

- --
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBQOmPneR/in3q1WdCEQKHUQCfaNoy7mu+g0AKsK9LFiwVyT5zXJEAoIzW
h0imdE0FayaQLIFBiX47hpHW
=9k38
-----END PGP SIGNATURE-----

Attachment: RS-Labs-Advisory-2004-2.txt
Description:


  By Date           By Thread  

Current thread:
  • RS-2004-2: "Content-Type" XSS vulnerability affecting other webmail systems Roman Medina-Heigl Hernandez (Jul 05)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault