1st Class Mail Server multiple cross-site scripting

1stclass-multiple-xss (15815) The risk level is classified as MediumMedium Risk

Description:

1st Class Mail Server is vulnerable to cross-site scripting. A remote attacker could send a malicious URL link containing embedded code to multiple scripts in the /user directory, which would be executed in the victim's Web browser within the security context of the hosting site, once the link is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials and hijack the account.


Consequences:

Gain Access

Remedy:

No remedy available as of July 9, 2011.

References:

  • Dr_insane Advisory April 8, 2004: 1st Class mail server 4.01 Directory Traversal and XSS vulnerabilities.
  • BID-10089: 1st Class Internet Solutions 1st Class Mail Server Multiple Input Validation Vulnerabilities
  • CVE-2004-2447: Cross-site scripting (XSS) vulnerability in 1st Class Mail Server 4.01 allows remote attackers to inject arbitrary web script or HTML via the Mailbox parameter to (1) viewmail.tagz, (2) the index script under /user/, (3) members.tagz, (4) general.tagz, (5) advanced.tagz, or (6) list.tagz.
  • OSVDB ID: 5012: 1st Class Mail Server viewmail.tagz XSS
  • OSVDB ID: 5013: 1st Class Mail Server Index XSS
  • OSVDB ID: 5014: 1st Class Mail Server members.tagz XSS
  • OSVDB ID: 5015: 1st Class Mail Server general.tagz XSS
  • OSVDB ID: 5016: 1st Class Mail Server advanced.tagz XSS
  • OSVDB ID: 5017: 1st Class Mail Server list.tagz XSS
  • SA11330: 1st Class Mail Server Directory Traversal and Cross Site Scripting
  • SECTRACK ID: 1009705: 1st Class Mail Server Input Validation Holes Disclose Files to Remote Users and Permit Cross-Site Scripting Attacks

Platforms Affected:

  • 1cis 1st Class Mail Server 4.01

Reported:

Apr 08, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page