MailStore 10.0.1 Cross Site Scripting / Open Redirect
secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server
MailStore Server Version 10.0.1.12148 was tested
according to the vendor:
- MailStore 9.2 to 10.0.1 is affected by the Reflected XSS Vulnerability
- Mailstore 9.0 to 10.0.1 is affected by the Open Redirect Vulnerability
"MailStore Server is one of the worldas leading solutions for email archiving,
management and compliance for small and medium-sized businesses."
The in-built Webapplication does not properly validate untrusted input in
several variables. This leads to both Reflected Cross-Site-Scripting (XSS)
and an Open Redirect.
To exploit the reflected XSS, the victim has to be authenticated to the
Mailstore Webapplication. By clicking on a link sent to a victim, an attacker
could for example copy the victims Session-ID to his on data sink.
Sending another link with a crafted URL, the attacker could redirect the
victim to a malicious website, while the link itself points to the trusted
Mailstore-Address. The victim is not required to be authenticated.
Vulnerable Scripts Reflected XSS for authenticated users:
/search-result/, Parameters c-f, c-q, c-from and c-to
/message/ajax/send/, Parameter recipient
Vulnerable Script Open Redirect:
derefer/, Parameter url
Example for reflected XSS:
#Load external JS-Code
Example for Open Redirect:
Update to Version 10.0.2
2017/01/09 vendor contacted
2017/01/10 initial vendor response asking for technical details
2017/01/10 provided vendor with the advisory including technical details
2017/01/13 vendor provided informations about affected versions and mitigation
2017/01/18 update published by vendor
2017/01/31 public disclosure
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore secuvera shall
not be liable for any direct or indirect damages that might be
caused by using this information.
See this note in RAW Version
Copyright 2017, cxsecurity.com