| VID |
21308 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Open WebMail program, according to its version number, has a Cross-Site Scripting Vulnerability.
Open WebMail is an open-source Web mail program written in Perl for Unix-based operating systems. The versions 2.32 and earlier of Open WebMail are vulnerable to a Cross-Site Scripting Vulnerability, caused by improper filtering the Content-type header or Content description header in E-mail messages. By sending a E-mail message with a specially crafted Content-Type or Content Description header, a remote attacker could cause arbitrary scripting code to be executed within the target user's browser, once viewed by the target user. This vulnerability could be exploited for the session hijacking and the theft of cookie-based authentication credentials.
* Note: This check solely relied on the version number of the remote Open WebMail to assess this vulnerability, so this might be a false positive. If the version number was obtained from the file 'openwebmail.pl' and you applied the patch that released on June 3, 2004 and later, please ignore this alert.
* References:
http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt
* Platforms Affected:
Open WebMail 2.32(2004-06-02) and earlier
Linux Any version |
| Recommendation |
Upgrade to the latest current version (dated 16-June-2004 or later) of Open WebMail from the Open WebMail Web site at http://openwebmail.org . This issue is fixed in the Open WebMail 2.32 on the 2004-06-03. |
| Related URL |
(CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
