SmarterMail Versions 7.x

vendor:

SmarterMail

by:

Hoyt LLC Research

7.5

CVSS

HIGH

Stored XSS

CWE

Product Name: SmarterMail

Affected Version From: 7.1

Affected Version To: 7.4

Patch Exists: YES

Related CWE: CVE-2010-3486 and CVE-2010-3425

CPE: a:smartertools:smartermail:7.x

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

2010

The value of the ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText request parameter submitted to the URL /Main/frmContact.aspx is copied into the HTML document as plain text between tags at the URL /Main/frmPopupContactsList.aspx. The payload 9e8e5<script>alert(1)</script>5b211c9e81 was submitted in the ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText parameter. This input was returned unmodified in a subsequent request for the URL /Main/frmPopupContactsList.aspx.

Mitigation:

The Vendor has released SmarterMail Version 8 at URI http://www.smartertools.com/Download.aspx?Product=SmarterMail&File=Installer&Version=8&Location=Primary

Source

Exploit-DB raw data:

Author: Hoyt LLC Research | http://xss.cx | http://cloudscan.me
Identified: October 28, 2010

Vendor: SmarterTools
Application: SmarterMail 7.x
Bug(s): Stored XSS, Reflected XSS, Directory Traversal, File Upload Parameters, OS Execution, XML Injection, LDAP Injection, DoS

Patch: The Vendor has released SmarterMail Version 8 at URI http://www.smartertools.com/Download.aspx?Product=SmarterMail&File=Installer&Version=8&Location=Primary

Timeline: Notify Vendor 10-28-2011 on Version 7.3 with respect to Stored XSS, other Vulns
              Vendor updates to Version 7.4 on 12.30.2010, Notify Vendor of Stored XSS, other Vulns
              Vendor updates to Version 8.0 on 3.10.2011

Publication: March 10, 2011 | Hoyt LLC Research publishes vulnerability information for SmarterMail Version 7.3 and 7.4, building on Version 7.1 and 7.2 exploits known as CVE-2010-3486 and CVE-2010-3425 at URI http://www.cloudscan.me/2011/03/smartermail-73-74-full-disclosure-xss.html.

Hoyt LLC Research | March 10, 2011

SmarterMail Versions 7.x | CWE-79: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Stored XSS - CWE-79, CAPEC-86 - SmarterMail Version 7.x Series
Summary

Severity:  	High
Confidence:  	Certain
Host:  	http://SmarterMail 7.x.Hosts
Path:  	/Main/frmPopupContactsList.aspx
Issue detail - Confirmed in Versions 7.1, 7.2, 7.3 and 7.4

The value of the ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText request parameter submitted to the URL /Main/frmContact.aspx is copied into the HTML document as plain text between tags at the URL /Main/frmPopupContactsList.aspx. The payload 9e8e5<script>alert(1)</script>5b211c9e81 was submitted in the ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText parameter. This input was returned unmodified in a subsequent request for the URL /Main/frmPopupContactsList.aspx.

Full Disclsoure - SmarterMail 7.x - Blog Posts
http://www.cloudscan.me/2011/03/smartermail-73-74-full-disclosure-xss.html
http://www.cloudscan.me/2010/09/smartermail-7x-713876-bugs-cross-site.html
http://www.cloudscan.me/2010/09/smarter-mail-7x-713876-file-fuzzing.html
http://www.cloudscan.me/2010/10/vendor-smartertoolscom-smartermail-7x_07.html
http://www.cloudscan.me/2010/10/vendor-smartertoolscom-smartermail-7x.html
http://www.cloudscan.me/2010/10/smartermail-7x-723925.html

Full Disclosure- SmarterMail 7.x - Burp Suite Pro 1.3.08 + Netsparker Audit Reports, HTML, XML Files, Screen Grabs.
http://xss.cx/examples/sm_7.2.3925_interim_report_1.htm
http://xss.cx/examples/sm_7.2.3925_interim_report_2.htm
http://xss.cx/examples/smartermail-7.2-report-interim-3.html
http://xss.cx/examples/sm-72-target.html
http://xss.cx/examples/sm_7.2.3925_stored_xss_audit_example.html
http://xss.cx/examples/sm_7.2.3925_file2_burp_1.3.08.html