In the lower version of sqmail, there are several xss holes... but there is no exploit... this time I will use an example to add that I want to read more books from different provinces...
The Hong Kong University of Science and Technology prefers to use squirrel mail as the backend of webmail to repeatedly advertise its advanced nature, but does not think about upgrading... don't you kneel down here? The actual hole has a CVE-2008-2379 and an old hole... however, the latest version of sqmail does not seem to have been completely repaired. First, check out the sqmail version logout used by HKUST. Then, you can access a page that requires login. 1.4.10a... http://squirrelmail.org/security/ Let's see what holes exist in the corresponding version... I noticed this hole in the Cross site scripting in HTML filter 1.4.0-1.4.16 0 CVE-2008-2379... first, check whether there is a ready-made exploit on the internet .......... no... let's take a look at the patch. http://squirrelmail.svn.sourceforge.net/viewvc/squirrelmail/branches/SM-1_4-STABLE/squirrelmail/functions/mime.php?r1=13276&r2=13338&view=patch Then, capture the source code and study it... the hole lies in removing the quote on both sides of the link at the beginning of the function, but after processing, I forgot to add the quote .. but .... study the source code carefully... I found some tricky things. The developer detected some dangerous characters in advance, and then immediately entered the Cold palace = here I want to vomit again .... nima can also filter other characters. Can I filter 20 spaces, 21 exclamation points, 23 pound signs, 24 dollar signs, and 25 percent signs against the day? It's a tragedy for you to make a normal url... okay... that is... it is necessary to construct the first XSS task when most commonly used separators are not available... how can I separate tag names from tag attributes? This does not work because of space filtering and other separators... but... I said I have tried a wonderful usage , that is... the backslash can be used to separate the tag name and tag attribute. It is tested to kill all major browsers... the content is directly returned by sqmail... this is enough... because the script tag can be used directly... but... I 'd like to try using the img label. This involves the second issue... the method for separating tag attribute cannot be separated by a backslash at this time, because the backslash will be considered to be used in the attribute. At this time, another wonderful discovery will come in handy... that is, the major browsers will treat \ 127 as single quotes to parse .... the following code is available: and the complete exploit of this hole is <a href =' http://test/?p= > </A> '> test </a> effect. The last result is an old hole in svg. The xlink: href inserts javascript... directly use exploit <svg xmlns =" http://www.w3.org/2000/svg "Style =" width: 700px; height: 400px; z-indexes: 101; display: block; margin-top:-400px; "> <a xmlns: xlink =" http://www.w3.org/1999/xlink "Xlink: actuate =" onClick "xlink: href =" javascript: console. log (/xss /) "> <rect width =" 1000 "height =" 1000 "fill =" transparent "/> </a> </svg> Why is the new sqmail version half repaired... this exploit was originally designed to cover almost the entire page with a large clickable transparent rect, so that users can click it to trigger the new version of sqmail script to correct the style-based page coverage vulnerability, however, the xlink: href vulnerability containing ctipt PT is not fixed. In the end, all sqmail cookies, including sessions, in this version, are not http only... therefore, xss is fatal. Then, let's take a look at sending an email to yourself and check that there are traces on the email page. Then, the onerror has already executed the click scam, which is normal. So... it cannot be upgraded.Solution:
Upgrade, upgrade, and fix the xlink: href squirrel mail? Didn't you say you want to upgrade to Google Apps...