[Full-Disclosure] kmMail XSS

From: Ulf Harnhammar (ulfh@update.uu.se)
Date: 10/21/02

• Next message: David Endler: "[Full-Disclosure] iDEFENSE Security Advisory 10.21.02: Cross-Site Scripting Holes present in virtually all websites"
• Previous message: Joe Testa: "[Full-Disclosure] Reproducing the MS DCE-RPC DOS."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: ulfh@update.uu.se (Ulf Harnhammar)
Date: Mon, 21 Oct 2002 00:26:12 +0200 (CEST)

kmMail XSS

* kmMail is an open-sourced web-based mail client, based on
Keftamail.

* kmMail version 1.0b has got a cross-site scripting bug when
viewing HTML e-mail messages. It filters out bad HTML elements,
but not good HTML elements with bad HTML attributes like this one:

<b onMouseOver="alert(document.location)">bolder</b>

* kmMail version 1.0b.1 doesn't have this problem.

* Therefore any kmMail users out there should upgrade.

// Ulf Harnhammar
   VSU Security
   ulfh@update.uu.se

• Next message: David Endler: "[Full-Disclosure] iDEFENSE Security Advisory 10.21.02: Cross-Site Scripting Holes present in virtually all websites"
• Previous message: Joe Testa: "[Full-Disclosure] Reproducing the MS DCE-RPC DOS."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint