Full Disclosure mailing list archives
Open Xchange XSS
From: Thomas Pollet <thomas.pollet () gmail com>
Date: Tue, 3 Jan 2006 13:21:22 +0100
Open Xchange webmail (<=0.8.1-6) suffers from xss. http://mirror.open-xchange.org/ox/EN/community/ Vendor response: For the commercial OX you don't need this as there exists additional security options where you will not able to use this session. It's a general problem for all web based mailers and some of them try to filter such scripts, some of them do not and show a warning instead that the document may contains "dangerous content". But you will never be able to filter all possible scriptings. Displaying HTML content is ALWAYS an unsecure option, so it is recommended to disable "Inline HTML" at the WebMail options. Anyway, I will check if I can make some basic filter to get most of such tags. Cheers, Thomas
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Open Xchange XSS Thomas Pollet (Jan 03)