https://www.exploit-db.com/exploits/21449
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-125

NOCC0.9到0.9.5版本存在跨站脚本（XSS）漏洞。远程攻击者借助电子邮件注入任意web脚本或者HTML。

source: http://www.securityfocus.com/bid/4740/info

NOCC is a web based email client implemented in PHP4. It includes support for POP3, SMTP and IMAP servers, MIME attachments and multiple languages.

A script injection issue has been reported with the way emails are displayed to users of NOCC webmail. A malicious attacker can include script code in an email and potentially get full access to a victim's mailbox. 

<script>alert(document.cookie)</script>

This will show the victim's session id.

来源:BID
名称:4740
链接:http://www.securityfocus.com/bid/4740
来源:XF
名称:nocc-webmail-css(9071)
链接:http://www.iss.net/security_center/static/9071.php
来源:sourceforge.net
链接:http://sourceforge.net/tracker/index.php?func=detail&aid;=555897&group;_id=12177&atid;=112177
来源:BUGTRAQ
名称:20020514NOCC:cross-site-scriptingbug
链接:http://archives.neohapsis.com/archives/bugtraq/2002-05/0107.html