SmarterMail 7.x Cross Site Scripting / Shell Upload / Traversal

`To: Vuln.Lists  
Re: Coordinated Disclosure, SmarterMail 7.x Versions  
Private Note - Rewrite as you wish, vendor has acknowledged these bugs (and  
more) and issued a fix.  
------------------------------  
Author: Hoyt LLC Research | http://xss.cx | http://cloudscan.me  
Identified: October 28, 2010  
  
Vendor: SmarterTools <http://www.smartertools.com/>  
Application: SmarterMail 7.x  
Bug(s): Stored XSS, Reflected XSS, Directory Traversal, File Upload  
Parameters, OS Execution, XML Injection, LDAP Injection, DoS  
  
Patch: The Vendor has released SmarterMail Version 8 at URI  
http://www.smartertools.com/Download.aspx?Product=SmarterMail&File=Installer&Version=8&Location=Primary  
  
Timeline: Notify Vendor 10-28-2011 on Version 7.3 with respect to Stored  
XSS, other Vulns  
Vendor updates to Version 7.4 on 12.30.2010, Notify Vendor of  
Stored XSS, other Vulns  
Vendor updates to Version 8.0 on 3.10.2011  
  
Publication: March 10, 2011 | Hoyt LLC Research publishes vulnerability  
information for SmarterMail Version 7.3 and 7.4, building on Version 7.1 and  
7.2 exploits known as  
CVE-2010-3486<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3486>and  
CVE-2010-3425 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3425> at  
URI  
http://www.cloudscan.me/2011/03/smartermail-73-74-full-disclosure-xss.html.  
  
Hoyt LLC Research | March 10, 2011  
  
SmarterMail Versions 7.x |  
CWE-79<http://cwe.mitre.org/data/definitions/79.html>:  
The software does not neutralize or incorrectly neutralizes  
user-controllable input before it is placed in output that is used as a web  
page that is served to other users.  
Stored XSS - CWE-79, CAPEC-86 - SmarterMail Version 7.x SeriesSummary  
Severity: *High  
*Confidence: *Certain*Host: *http://SmarterMail 7.x.Hosts*Path: *  
/Main/frmPopupContactsList.aspx*Issue detail - Confirmed in Versions 7.1,  
7.2, 7.3 and 7.4The value of the  
ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText request parameter  
submitted to the URL /Main/frmContact.aspx is copied into the HTML document  
as plain text between tags at the URL /Main/frmPopupContactsList.aspx. The  
payload *9e8e5<script>alert(1)</script>5b211c9e81* was submitted in the  
ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText parameter. This  
input was returned unmodified in a subsequent request for the URL  
/Main/frmPopupContactsList.aspx.  
  
Full Disclsoure - SmarterMail 7.x - Blog Posts  
http://www.cloudscan.me/2011/03/smartermail-73-74-full-disclosure-xss.html  
http://www.cloudscan.me/2010/09/smartermail-7x-713876-bugs-cross-site.html  
http://www.cloudscan.me/2010/09/smarter-mail-7x-713876-file-fuzzing.html  
http://www.cloudscan.me/2010/10/vendor-smartertoolscom-smartermail-7x_07.html  
http://www.cloudscan.me/2010/10/vendor-smartertoolscom-smartermail-7x.html  
http://www.cloudscan.me/2010/10/smartermail-7x-723925.html  
  
Full Disclosure- SmarterMail 7.x - Burp Suite Pro 1.3.08 + Netsparker Audit  
Reports, HTML, XML Files, Screen Grabs.  
http://xss.cx/examples/sm_7.2.3925_interim_report_1.htm  
http://xss.cx/examples/sm_7.2.3925_interim_report_2.htm  
http://xss.cx/examples/smartermail-7.2-report-interim-3.html  
http://xss.cx/examples/sm-72-target.html  
http://xss.cx/examples/sm_7.2.3925_stored_xss_audit_example.html  
http://xss.cx/examples/sm_7.2.3925_file2_burp_1.3.08.html  
`