Captaris WebMail XSS Vulnerability


I figured it was about time I hopped on the XSS band-wagon. XSS against webmail clients is actually mildy interesting and the example CGI script I created provides a good base framework for similar attacks.

Captaris ( Infinite WebMail application is vulnerable to Cross-Site Scripting (XSS) attacks. The application fails to filter the following tags that can both be used to redirect a user to an attack script:

Launch on e-mail open:

    <p style="left:expression(document.location=

Launch on mouse over:

    <b onMouseOver= "document.location=

I am sure there are other XSS attack methods that can also be utilized to bypass their basic filtering.

A sample vulnerable service is provided by (, they are running WebMail v3.61.05. A sample cookie and mail logger script that will retrieve all of the messages in the users main mailbox has been written and is available at the link shown above.