Info

Disclosure

Feb 27, 2006

Discovery

Unknown

Dates

Exploit

Feb 27, 2006

Solution

Unknown

Description

ArGoSoft Mail Server Pro contains a flaw that allows a remote cross site scripting attack. This flaw exists because the Webmail application does not validate various e-mail headers (e.g. "subject" and "from") before being displayed by the "View Headers" functionality. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 1.8.8.6 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Argosoft

Mail Server Pro

1.8.8.5

References

Bugtraq ID: 16834
Secunia Advisory ID: 18991
CVE ID: 2006-0978 (see also: NVD)
VUPEN Advisory: ADV-2006-0751
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0511.html
Other Advisory URL: http://secunia.com/secunia_research/2006-6/advisory/
Vendor URL: http://www.argosoft.com/rootpages/MailServer/Default.aspx

Credit

Secunia Security Advisories - sec-advsecunia.com - Secunia

Direct URL: http://osvdb.org/23512