------------------------------------------------------------------------
Cross-Site Scripting (XSS) in WHMail
------------------------------------------------------------------------

Author: Audun Larsen (larsen at xqus dot com)
Date: Dec 24, 2008

--AFFECTED SOFTWARE--------------------------

Name: WHMail

WHMail is a webmail application written in Perl developed and used by
a Norwegian ISP called Webhuset.

--DISCUSSION---------------------------------

WHMail is vulnerable to a Non-Persistent (or reflected)
Cross-Site Scripting attack. The problem exists because of the lack
of properly escaping user input before using it to populate the username field
on the login page.

--PROOF OF CONCEPT---------------------------

http://webhuset.no/perl/whmail/login and enter 
"><script>alert("XSS");</script> as username.

--TIMELINE-----------------------------------

Dec 24, 2008: Bug found
Dec 24, 2008: Vendor notified
Dec 26, 2008: Vendor reports vulnerability fixed

--DISCLAIMER---------------------------------

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind.

Copyright © 2008 Audun Larsen, some rights reserved:
http://creativecommons.org/licenses/by-sa/3.0/