MailStore 10.0.1 Cross Site Scripting / Open Redirect

Type packetstorm
Reporter Tobias Glemser
Modified 2017-02-01T00:00:00


                                            `secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server  
Affected Products  
MailStore Server Version was tested  
according to the vendor:  
- MailStore 9.2 to 10.0.1 is affected by the Reflected XSS Vulnerability  
- Mailstore 9.0 to 10.0.1 is affected by the Open Redirect Vulnerability  
"MailStore Server is one of the worldas leading solutions for email archiving,   
management and compliance for small and medium-sized businesses."  
The in-built Webapplication does not properly validate untrusted input in   
several variables. This leads to both Reflected Cross-Site-Scripting (XSS)   
and an Open Redirect.  
To exploit the reflected XSS, the victim has to be authenticated to the   
Mailstore Webapplication. By clicking on a link sent to a victim, an attacker   
could for example copy the victims Session-ID to his on data sink.  
Sending another link with a crafted URL, the attacker could redirect the   
victim to a malicious website, while the link itself points to the trusted   
Mailstore-Address. The victim is not required to be authenticated.  
Vulnerable Scripts Reflected XSS for authenticated users:  
/search-result/, Parameters c-f, c-q, c-from and c-to   
/message/ajax/send/, Parameter recipient  
Vulnerable Script Open Redirect:  
derefer/, Parameter url  
Example for reflected XSS:  
#Load external JS-Code  
Example for Open Redirect:  
Update to Version 10.0.2  
Disclosure Timeline:  
2017/01/09 vendor contacted  
2017/01/10 initial vendor response asking for technical details  
2017/01/10 provided vendor with the advisory including technical details  
2017/01/13 vendor provided informations about affected versions and mitigation  
2017/01/18 update published by vendor  
2017/01/31 public disclosure  
Tobias Glemser  
secuvera GmbH  
All information is provided without warranty. The intent is to  
provide information to secure infrastructure and/or systems, not  
to be able to attack or damage. Therefore secuvera shall  
not be liable for any direct or indirect damages that might be  
caused by using this information.