Reporter Tobias Glemser
`secuvera-SA-2017-02: Reflected XSS and Open Redirect in MailStore Server
MailStore Server Version 10.0.1.12148 was tested
according to the vendor:
- MailStore 9.2 to 10.0.1 is affected by the Reflected XSS Vulnerability
- Mailstore 9.0 to 10.0.1 is affected by the Open Redirect Vulnerability
"MailStore Server is one of the worldas leading solutions for email archiving,
management and compliance for small and medium-sized businesses."
The in-built Webapplication does not properly validate untrusted input in
several variables. This leads to both Reflected Cross-Site-Scripting (XSS)
and an Open Redirect.
To exploit the reflected XSS, the victim has to be authenticated to the
Mailstore Webapplication. By clicking on a link sent to a victim, an attacker
could for example copy the victims Session-ID to his on data sink.
Sending another link with a crafted URL, the attacker could redirect the
victim to a malicious website, while the link itself points to the trusted
Mailstore-Address. The victim is not required to be authenticated.
Vulnerable Scripts Reflected XSS for authenticated users:
/search-result/, Parameters c-f, c-q, c-from and c-to
/message/ajax/send/, Parameter recipient
Vulnerable Script Open Redirect:
derefer/, Parameter url
Example for reflected XSS:
#Load external JS-Code
Example for Open Redirect:
Update to Version 10.0.2
2017/01/09 vendor contacted
2017/01/10 initial vendor response asking for technical details
2017/01/10 provided vendor with the advisory including technical details
2017/01/13 vendor provided informations about affected versions and mitigation
2017/01/18 update published by vendor
2017/01/31 public disclosure
All information is provided without warranty. The intent is to
provide information to secure infrastructure and/or systems, not
to be able to attack or damage. Therefore secuvera shall
not be liable for any direct or indirect damages that might be
caused by using this information.