Latest YouTube Video

Wednesday, February 1, 2017

[FD] secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server

secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server Affected Products MailStore Server Version 10.0.1.12148 was tested according to the vendor: - MailStore 9.2 to 10.0.1 is affected by the Reflected XSS Vulnerability - Mailstore 9.0 to 10.0.1 is affected by the Open Redirect Vulnerability References http://ift.tt/2jU6T4F CWE-79 http://ift.tt/1sECy8t CWE-601 http://ift.tt/1OqwbDo Summary: "MailStore Server is one of the world’s leading solutions for email archiving, management and compliance for small and medium-sized businesses." The in-built Webapplication does not properly validate untrusted input in several variables. This leads to both Reflected Cross-Site-Scripting (XSS) and an Open Redirect. Effect: To exploit the reflected XSS, the victim has to be authenticated to the Mailstore Webapplication. By clicking on a link sent to a victim, an attacker could for example copy the victims Session-ID to his on data sink. Sending another link with a crafted URL, the attacker could redirect the victim to a malicious website, while the link itself points to the trusted Mailstore-Address. The victim is not required to be authenticated. Vulnerable Scripts Reflected XSS for authenticated users: /search-result/, Parameters c-f, c-q, c-from and c-to /message/ajax/send/, Parameter recipient Vulnerable Script Open Redirect: derefer/, Parameter url Example for reflected XSS: http://ift.tt/2jVAj4T #Load external JS-Code http://ift.tt/2jU3gMb Example for Open Redirect: http://ift.tt/2jVsU5J Solution: Update to Version 10.0.2 Disclosure Timeline: 2017/01/09 vendor contacted 2017/01/10 initial vendor response asking for technical details 2017/01/10 provided vendor with the advisory including technical details 2017/01/13 vendor provided informations about affected versions and mitigation 2017/01/18 update published by vendor 2017/01/31 public disclosure Credits: Tobias Glemser tglemser@secuvera.de secuvera GmbH https://www.secuvera.de Disclaimer: All information is provided without warranty. The intent is to provide information to secure infrastructure and/or systems, not to be able to attack or damage. Therefore secuvera shall not be liable for any direct or indirect damages that might be caused by using this information.

Source: Gmail -> IFTTT-> Blogger

No comments: