The XSS hole I developed the most is in addressbook.php. I was able to
inject and execute javascript code and after opening the addressbook
page there was no indication that I had changed anything (after
entering the HTML comment tags to get rid of some hanging code that my
javascript had made text).
The URL I crafted for the exploit is as follows:
http://<VULNERABLE
SITE>.net/webmail/src/addressbook.php?"><script>alert(document.cookie)</script><!--
If you execute the code without the HTML comment tag on the end it
leaves a nasty hanging bit of HTML code which is a clear indication
that something has gone awry to many users (however some may ignore it
as they don't understand it).
git-svn-id: https://svn.code.sf.net/p/squirrelmail/code/trunk/squirrelmail@3652
7612ce4b-ef26-0410-bec9-
ea0150e637f0
$abortform = false;
$showaddrlist = true;
$defselected = array();
$abortform = false;
$showaddrlist = true;
$defselected = array();
+$form_url = 'addressbook.php';
/* Handle user's actions */
/* Handle user's actions */
$olddata = $abook->lookup($enick, $ebackend);
/* Display the "new address" form */
$olddata = $abook->lookup($enick, $ebackend);
/* Display the "new address" form */
- echo '<FORM ACTION="' . $PHP_SELF . '" METHOD="POST">' .
+ echo '<FORM ACTION="' . $form_url . '" METHOD="POST">' .
"\n" .
html_tag( 'table',
html_tag( 'tr',
"\n" .
html_tag( 'table',
html_tag( 'tr',
'center', '', 'width="100%"' );
/* Display the "new address" form again */
'center', '', 'width="100%"' );
/* Display the "new address" form again */
- echo '<FORM ACTION="' . $PHP_SELF .
+ echo '<FORM ACTION="' . $form_url .
'" METHOD="POST">' . "\n" .
html_tag( 'table',
html_tag( 'tr',
'" METHOD="POST">' . "\n" .
html_tag( 'table',
html_tag( 'tr',
/* List addresses */
if (count($alist) > 0) {
/* List addresses */
if (count($alist) > 0) {
- echo '<FORM ACTION="' . $PHP_SELF . '" METHOD="POST">' . "\n";
+ echo '<FORM ACTION="' . $form_url . '" METHOD="POST">' . "\n";
while(list($undef,$row) = each($alist)) {
/* New table header for each backend */
while(list($undef,$row) = each($alist)) {
/* New table header for each backend */
/* Display the "new address" form */
echo '<a name="AddAddress"></a>' . "\n" .
/* Display the "new address" form */
echo '<a name="AddAddress"></a>' . "\n" .
- '<FORM ACTION="' . $PHP_SELF . '" NAME=f_add METHOD="POST">' . "\n" .
+ '<FORM ACTION="' . $form_url . '" NAME=f_add METHOD="POST">' . "\n" .
html_tag( 'table',
html_tag( 'tr',
html_tag( 'td', "\n". '<strong>' . sprintf(_("Add to %s"), $abook->localbackendname) . '</strong>' . "\n",
html_tag( 'table',
html_tag( 'tr',
html_tag( 'td', "\n". '<strong>' . sprintf(_("Add to %s"), $abook->localbackendname) . '</strong>' . "\n",