_MAIN_ Exploit:
The XSS hole I developed the most is in addressbook.php. I was able to
inject and execute javascript code and after opening the addressbook
page there was no indication that I had changed anything (after
entering the HTML comment tags to get rid of some hanging code that my
javascript had made text).
The URL I crafted for the exploit is as follows:
http://<VULNERABLE
SITE>.net/webmail/src/addressbook.php?"><script>alert(document.cookie)</script><!--
If you execute the code without the HTML comment tag on the end it
leaves a nasty hanging bit of HTML code which is a clear indication
that something has gone awry to many users (however some may ignore it
as they don't understand it).
git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@3652
7612ce4b-ef26-0410-bec9-
ea0150e637f0
projects / squirrelmail.git / commit