lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 1 Feb 2017 09:01:11 +0000
From: Tobias Glemser <>
To: "" <>,
 "" <>
Subject: [FD] secuvera-SA-2017-02: Reflected XSS and Open Redirect in
 MailStore Server

secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server

Affected Products
   MailStore Server Version was tested
   according to the vendor:
   - MailStore 9.2 to 10.0.1 is affected by the Reflected XSS Vulnerability
   - Mailstore 9.0 to 10.0.1 is affected by the Open Redirect Vulnerability


   "MailStore Server is one of the world’s leading solutions for email archiving, 
   management and compliance for small and medium-sized businesses."

   The in-built Webapplication does not properly validate untrusted input in 
   several variables. This leads to both Reflected Cross-Site-Scripting (XSS) 
   and an Open Redirect.

   To exploit the reflected XSS, the victim has to be authenticated to the 
   Mailstore Webapplication. By clicking on a link sent to a victim, an attacker 
   could for example copy the victims Session-ID to his on data sink.

   Sending another link with a crafted URL, the attacker could redirect the 
   victim to a malicious website, while the link itself points to the trusted 
   Mailstore-Address. The victim is not required to be authenticated.

Vulnerable Scripts Reflected XSS for authenticated users:
   /search-result/, Parameters c-f, c-q, c-from and c-to 
   /message/ajax/send/, Parameter recipient

Vulnerable Script Open Redirect:
   derefer/, Parameter url

Example for reflected XSS:
   #Load external JS-Code

Example for Open Redirect:

   Update to Version 10.0.2

Disclosure Timeline:
   2017/01/09 vendor contacted
   2017/01/10 initial vendor response asking for technical details
   2017/01/10 provided vendor with the advisory including technical details
   2017/01/13 vendor provided informations about affected versions and mitigation
   2017/01/18 update published by vendor
   2017/01/31 public disclosure
   Tobias Glemser
   secuvera GmbH

   All information is provided without warranty. The intent is to
   provide information to secure infrastructure and/or systems, not
   to be able to attack or damage. Therefore secuvera shall
   not be liable for any direct or indirect damages that might be
   caused by using this information.

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists