I. VULNERABILITY
-------------------------
Reflected XSS in SpamTitan 6.01
II. BACKGROUND
-------------------------
SpamTitan offers the best protection for your email on the market. We
consistently block more than 99.9% of all spam and have independent
comparative tests and awards to show this.
III. DESCRIPTION
-------------------------
Has been detected a XSS Reflected via GET in SpamTitan in
"/auth-settings-x.php?getwebauth&domain_filter=aaa&startIndex=0&type=all&results=5&sortkey=domain&sortdir="
parameter “sortdir” that allows the execution of arbitrary HTML/script
code to be executed in the context of the victim user's browser.
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter sortdir in
http://10.200.210.5/auth-settings-x.php?getwebauth&domain_filter=aaa&startIndex=0&type=all&results=5&sortkey=domain&sortdir=aaa"<body
onload=alert(document.cookie)>
V. BUSINESS IMPACT
-------------------------
That allows the code execution arbitrary in victim Browser
VI. REQUIREMENTS
-----------------------
An Attacker needs to know the IP of the device.
An Administrator needs an authenticated connection to the device.
VII. SYSTEMS AFFECTED
-------------------------
Try SpamTitan 6.00 and 6.01 VM and Demo online
VIII. SOLUTION
-------------------------
SpamTitan has released a 6.04 patch to address this vulnerability. If
you are unable to upgrade, please consider the following workaround.
By William Costa
http://twitter.com/willcosta