IlohaMail user Parameter XSS

This script is Copyright (C) 2004-2011 George A. Theall


Synopsis :

The remote web server contains an PHP application that is affected by
a cross-site scripting vulnerability.

Description :

According to its banner, the remote web server is running IlohaMail
version 0.8.10 or earlier. Such versions do not properly sanitize the
'user' parameter before using it to generate dynamic HTML output. An
attacker may be able to leverage this to inject arbitrary HTML and
script code into a user's browser to be executed within the security
context of the affected site.

See also :

http://www.nessus.org/u?ce7ea0ed

Solution :

Upgrade to IlohaMail version 0.8.12 or later.

Note that 0.8.11 was released to address this issue, but that version
has a crippling bug.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.7
(CVSS2#E:H/RL:OF/RC:C)
Public Exploit Available : true

Family: CGI abuses : XSS

Nessus Plugin ID: 14637 (ilohamail_user_parameter.nasl)

Bugtraq ID: 9131

CVE ID: