[VIM] Openwebmail: 2 XSS vulns not one, and some version hints

Steven M. Christey coley at mitre.org
Mon Jun 26 20:09:57 EDT 2006

Various VDB's appear to be combining two distinct XSS reports from the
OpenWebMail vendor, and/or are not being precise about the
distinction.  Making this more difficult appears to be the lack of
clearly labeled versions.

The changelog is:


Relevant items are:

  3. fix additional XSS exploits in openwebmail-read.pl due to the
     from address not being sanitized properly



   2. modify some additional openwebmailerror calls that need to
      display HTML, to make them XSS attack safe.

   5. fix additional XSS possible exploits caused by the To and From
      name and address not being sanitized before display

We can sort of infer version numbers from here:


But the 02-May-2006 date for 2.52 is out of alignment with the above
dates in the changelog.

Anyway, back to the differences between 06/18/2006 and 05/12/2006.

It comes down to the diffs (credits to FrSIRT for pointing in the
direction of the SVN archives).

For the 06/18/2006 version, we have cleansing of the $eaddr variable
in openwebmail-read.pl:


For the 05/12/2006 version, the affected file is openwebmail-main.pl,
as seen here:


I don't know about item (2) from the 05/12/2006 changelog - maybe it's
defensive or maybe there's a specific attack vector.

- Steve

More information about the VIM mailing list