Topic: Arbitrary tags injection in victim's browser context Announced: 2005-02-12 Credits: Oriol Torrent Santiago Affects: all versions before 20050212 Corrected: openwebmail versions after 2.50 20040212 Patches: http://openwebmail.org/openwebmail/download/cert/patches/SA-05:01/ http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA-05:01/ I. Background Open WebMail allows the client to specify the default domain for login in the url II. Problem Description A vulnerability has been discovered in OWM due to missing validation of input supplied to "logindomain" variable. III. Impact When correctly exploited, it will permit the execution of scripts (JavaScript, VBScript, etc) running in the context of victim's browser. Compromise of webmail account, cookie theft or further exploitation of any local existing vulnerability in browser (specially easy in the case of MS-IE, which is still plenty of pending [unpatched] sec-vulns) are only some examples of the possibilities. IV. Workaround No. V. Solution A. upgrade to the latest openwebmail-current.tar.gz B. or apply the patch in http://openwebmail.org/openwebmail/download/cert/patches/SA-05:01/ http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA-05:01/