XSS in Infinite Mobile Delivery v2.6 Webmail
Date: Sat, 29 Jan 2005 13:07:40 -0800 (PST) To: email@example.com
The webmail portion of the latest (and final) release of Infinite Mobile
Delivery contains a Cross Site Scripting vulnerability. In addition to
the XSS, an even smaller issue exists where a user can determine the
installation path of the client and where e-mails are stored.
A user once logged in can simply start writing scripting immediately after
their user name and it will be executed within the browser.
--- Example: http://www-webmailusersite-com/username/[XSS] The server will respond with: Unable to parse request for user blah: [XSS] --- Also, the server will return the installation path if an illegal windows folder character or name is entered after 'Folder:' - For example, Windows does not let you have folders containing < > * | : \ / ? or com1, com2, etc. Example: http://www-webmailusersite-com/username/Folder:? The server will respond with: Error creating file: [drive letter]:\file's\path\USERS\username\?.IDX --- Solutions: I am not aware of any solutions at this time. Vendor Response: The vendor was notified of the issue in November 2004. They also told me that Captaris is no longer developing Infinite Mobile Delivery and that there probably won't be any changs implemented. To the best of my knowledge there will be no further releases and there is no fix available. Credits: The best University in Virginia (Virginia Tech) for providing me education for the past 3.5 years and for having so much terrible cold weather which has given me time to write this up. Steven firstname.lastname@example.org