SmarterTools SmarterMail 8.0 Cross Site Scripting

`Author: Hoyt LLC Research | http://xss.cx | http://cloudscan.me  
Identified: March 14, 2011  
Vendor: SmarterTools <http://www.smartertools.com/>  
Application: SmarterMail Version 8.0  
Bug(s): Stored XSS, Reflected XSS  
Patch: None Available  
  
Timeline: Notify Vendor simultaneous with Vendor  
  
Publication:  
http://www.cloudscan.me/2011/03/smartermail-80-stored-xss-reflected-xss.html  
  
SUMMARY STATEMENT: CWE-79 <http://cwe.mitre.org/data/definitions/79.html>:  
The software does not neutralize or incorrectly neutralizes  
user-controllable input before it is placed in output that is used as a web  
page that is served to other users.  
Stored XSS - CWE-79, CAPEC-86  
  
------------------------------  
Issue: *Cross-site scripting (stored)* Severity: *High*  
Confidence:  
*Certain* Host: *http://vulnerable.smartermail.80.site:9998* Path:  
*/Main/frmPopupContactsList.aspx*  
------------------------------  
[image: smartermail-80-stored-xss-3.JPG]  
Issue detail The value of the  
ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText request parameter  
submitted to the URL /Main/frmContact.aspx is copied into the HTML document  
as plain text between tags at the URL /Main/frmPopupContactsList.aspx. The  
payload *e7bf9<script>alert(1)</script>96f90bed938* was submitted in the  
ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText parameter. This  
input was returned unmodified in a subsequent request for the URL  
/Main/frmPopupContactsList.aspx.  
  
This proof-of-concept attack demonstrates that it is possible to inject  
arbitrary JavaScript into the application's response.  
  
  
Blog URI Post  
http://www.cloudscan.me/2011/03/smartermail-80-stored-xss-reflected-xss.html  
Full Disclosure Report URI  
http://xss.cx/examples/smartermail-80-full-disclosure-report-hoyt-llc-research.html  
  
  
  
More to come..  
`