Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2010-3201

Publish Date: 04 Oct 2010

Source

                							

                Application    NetWin Surgemail 4.3e
Vendor         NetWin - http://netwinsite.com

Discovered by  Kerem Kocaer &lt;kerem.kocaer@bitsec.se&gt;

Problem
-------
Cross-site scripting (XSS) vulnerability in the Surgemail webmail login page
(/surgemail) allows remote attackers to inject arbitrary web script or HTML. 

Input passed to the "username_ex" parameter is not properly sanitised before 
being returned to the user, therefore enabling the execution of arbitrary 
script code in a user's browser session, which can lead to cookie theft and 
session hijacking. 

The vulnerability is confirmed to exist in version 4.3e (latest version at 
the date of vulnerability discovery). Previous versions may also be vulnerable.

Exploit
-------
http://[address]/surgeweb?username_ex="/&gt;&lt;scri&lt;script&gt;alert(document.cookie);&lt;/script&gt;&lt;input type="hidden
(tested on Firefox)

Fix
---
The vendor has reported fixing the problem in version 4.3g.

Timeline
--------
2010-05-13 Notified NetWin (ChrisP.)
2010-05-13 Received response from NetWin
2010-05-13 Provided details to NetWin
2010-05-26 Surgemail patched

Reference
---------
CVE Number: CVE-2010-3201
<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

NetWin Surgemail 4.3e Cross Site Scripting

Vulmon Search

About

Products

Connect