TUCoPS :: Web :: General :: web5738.htm

ArGoSoft Mail Server Pro Script Injection
8th Oct 2002 [SBWID-5738]
COMMAND

	ArGoSoft Mail Server Pro script injection

SYSTEMS AFFECTED

	ArGoSoft Mail Server Pro, tested on version 1.8.1.9

PROBLEM

	Francisco Claude [zorbas@systat.cl] says :
	

	it is posible to  execute  javascript  by  sending  it  inside  a  mail,
	ArGoSoft does not filter that, and you can steal  the  cookie  from  the
	user, the cookie has a problem  too,  it  saves  the  username  and  the
	password in plain text, you have only to  decode  the  cookie,  and  you
	have something like that:
	

	mail@domain:password

	

	

SOLUTION

	desactivate de Web-Mail interface until a patch is released.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH