#Name :inoutwebmail Persistent Xss Vulnerability

#Date : Dec,20 2010

#Vendor Url :http://www.inoutscripts.com/

#Author : Sid3^effects aKa HaRi <shell_c99[at]yahoo.com>

#Big hugs : Th3 RDX,Hanan_butt,

#special thanks to : r0073r (inj3ct0r.com),L0rd CruSad3r,SeeMe,MaYur,MA1201,KeDar,Sonic,gunslinger_,Sn!pEr.S!Te,n4pst3rr,tranquiller,Sug@R

#greetz to :!Op3x_ninjato team,www.topsecure.net ,trent Dillman,All ICW members and my friends :) luv y0 guyz

#######################################################################################################

Description:

Inout Webmail is a complete webmail solution for your website. Build your own personal secure mail service today

###############################################################################################################

Exploit:Persistent Xss Vulnerability

The vulnerability exists due to failure in the script to properly sanitize user-supplied input.Successful exploitation of this vulnerability could result in a compromise of the application,disclosure or modification of sensitive data.

>The Xss vulnerability exists in "contacts",emailfilter

>Also the attacker can send malicious xss scripts to the users who are using this application

Attack parameter: "><script>alert("xss")</script>

>http://server/path/index.php?page=mail/mailbox

>http://server/index.php?page=settings/emailfilter

###############################################################################################################

Fix:

   N/a

###############################################################################################################

# 0day no more

# Sid3^effects

# 1337day.com

https://www.exploit-db.com/exploits/15781/

Inoutscripts.com - The support team was useless and didn't provide any info

Inoutscripts.com - Their support team doesn't help you after you buy from them

Inoutscripts.com - Company didn't provide support and it was difficult to contact them