SmarterMail 7.3 and 7.4 Multiple Vulnerabilities

🗓️ 11 Mar 2011 00:00:00Reported by Hoyt LLCType

zdt🔗 0day.today👁 24 Views

SmarterMail 7.3 and 7.4 Multiple Vulnerabilities including Stored XSS, Reflected XSS, Directory Traversal, File Upload Parameters, OS Execution, XML Injection, LDAP Injection, and DoS. Patch available at http://www.smartertools.com/Download.aspx?Product=SmarterMail&File=Installer&Version=8&Location=Primar

Reporter	Title	Published	Views	Family All 24
0day.today	SmarterMail 7.x (7.2.3925) Stored Cross Site Scripting Vulnerability	3 Oct 201000:00	–	zdt
0day.today	SmarterMail 7.x (7.2.3925) LDAP Injection Vulnerability	3 Oct 201000:00	–	zdt
Circl	CVE-2010-3425	2 Oct 201000:00	–	circl
Circl	CVE-2010-3486	19 Sep 201000:00	–	circl
CVE	CVE-2010-3425	16 Sep 201021:00	–	cve
CVE	CVE-2010-3486	22 Sep 201019:00	–	cve
Cvelist	CVE-2010-3425	16 Sep 201021:00	–	cvelist
Cvelist	CVE-2010-3486	22 Sep 201019:00	–	cvelist
Exploit DB	SmarterMail < 7.2.3925 - Persistent Cross-Site Scripting	2 Oct 201000:00	–	exploitdb
Exploit DB	SmarterMail < 7.2.3925 - LDAP Injection	2 Oct 201000:00	–	exploitdb

Vendor: SmarterTools
Application: SmarterMail 7.x
Bug(s): Stored XSS, Reflected XSS, Directory Traversal, File Upload Parameters, OS Execution, XML Injection, LDAP Injection, DoS
 
Patch: The Vendor has released SmarterMail Version 8 at URI http://www.smartertools.com/Download.aspx?Product=SmarterMail&File=Installer&Version=8&Location=Primary
 
Timeline: Notify Vendor 10-28-2011 on Version 7.3 with respect to Stored XSS, other Vulns
              Vendor updates to Version 7.4 on 12.30.2010, Notify Vendor of Stored XSS, other Vulns
              Vendor updates to Version 8.0 on 3.10.2011
 
Publication: March 10, 2011 | Hoyt LLC Research publishes vulnerability information for SmarterMail Version 7.3 and 7.4, building on Version 7.1 and 7.2 exploits known as CVE-2010-3486 and CVE-2010-3425 at URI http://www.cloudscan.me/2011/03/smartermail-73-74-full-disclosure-xss.html.
 
Hoyt LLC Research | March 10, 2011
 
SmarterMail Versions 7.x | CWE-79: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Stored XSS - CWE-79, CAPEC-86 - SmarterMail Version 7.x Series
Summary
 
Severity:   High
Confidence:     Certain
Host:   http://SmarterMail 7.x.Hosts
Path:   /Main/frmPopupContactsList.aspx
Issue detail - Confirmed in Versions 7.1, 7.2, 7.3 and 7.4
 
The value of the ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText request parameter submitted to the URL /Main/frmContact.aspx is copied into the HTML document as plain text between tags at the URL /Main/frmPopupContactsList.aspx. The payload 9e8e5<script>alert(1)</script>5b211c9e81 was submitted in the ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText parameter. This input was returned unmodified in a subsequent request for the URL /Main/frmPopupContactsList.aspx.
 
Full Disclsoure - SmarterMail 7.x - Blog Posts
http://www.cloudscan.me/2011/03/smartermail-73-74-full-disclosure-xss.html
http://www.cloudscan.me/2010/09/smartermail-7x-713876-bugs-cross-site.html
http://www.cloudscan.me/2010/09/smarter-mail-7x-713876-file-fuzzing.html
http://www.cloudscan.me/2010/10/vendor-smartertoolscom-smartermail-7x_07.html
http://www.cloudscan.me/2010/10/vendor-smartertoolscom-smartermail-7x.html
http://www.cloudscan.me/2010/10/smartermail-7x-723925.html
 
Full Disclosure- SmarterMail 7.x - Burp Suite Pro 1.3.08 + Netsparker Audit Reports, HTML, XML Files, Screen Grabs.
http://xss.cx/examples/sm_7.2.3925_interim_report_1.htm
http://xss.cx/examples/sm_7.2.3925_interim_report_2.htm
http://xss.cx/examples/smartermail-7.2-report-interim-3.html
http://xss.cx/examples/sm-72-target.html
http://xss.cx/examples/sm_7.2.3925_stored_xss_audit_example.html
http://xss.cx/examples/sm_7.2.3925_file2_burp_1.3.08.html



#  0day.today [2018-04-14]  #

11 Mar 2011 00:00Current

7.1High risk

Vulners AI Score7.1

EPSS0.0802