what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Atmail WebMail 7.0.2 Cross Site Scripting

Atmail WebMail 7.0.2 Cross Site Scripting
Posted Feb 7, 2014
Authored by Vicente Aguilera Diaz

Atmail WebMail version 7.0.2 suffers from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
advisories | CVE-2013-6229
SHA-256 | 23b2b53a8d67a1e32d07fc9e6327ecca13eddf018a35f4a70313e79d7dc615ec

Atmail WebMail 7.0.2 Cross Site Scripting

Change Mirror Download
=============================================
INTERNET SECURITY AUDITORS ALERT 2013-014
- Original release date: March 25th, 2013
- Last revised: March 25th, 2013
- Discovered by: Vicente Aguilera Diaz
- Severity: 4.3/10 (CVSSv2 Base Scored)
- CVE-ID: CVE-2013-6229
=============================================

I. VULNERABILITY
-------------------------
Multiple reflected XSS vulnerabilities in Atmail WebMail.


II. BACKGROUND
-------------------------
Atmail allows users to access IMAP Mailboxes of any server of your
choice. The software provides

a comprehensive email-suite for accessing user mailboxes, and provides
an inbuilt Calendar and

Addressbook features. The WebMail Client of Atmail supports any existing
IMAP server running

under Unix/Linux or Windows systems.


III. DESCRIPTION
-------------------------
Has been detected multiple reflected XSS vulnerability:
1) in the view attachment message process
2) in the search message with filter process
3) in the delete message process

These vulnerabilities allows the execution of arbitrary HTML/script code
to be executed in the

context of the victim user's browser.


IV. PROOF OF CONCEPT
-------------------------
1) View attachment message process
When a user opens a file attachment in an email, the link is as follows:

http://<atmail-

server>/index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/<ID>/filenameOriginal/<fil

e>

where:
- <atmail-server> is the Atmail WebMail server
- <ID> is the unique ID for the message that contains the attachment
- <file> is the attachment file in the message

A malicious user can inject arbitrary HTML/script code in the <file>
parameter. For example:

http://<atmail-

server>/index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/<ID>/filenameOriginal/test

.txt<H1><marquee>This+is+an+XSS+example


2) Search message with filter process
When a user search messages with a filter (for example, using the
"Friends" filter), the link is

as follows:

POST

/index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/searchRes

ultsTab5 HTTP/1.1
Host: <atmail-server>
...
searchQuery=&goBack=6&from=&to=&subject=&body=&filter=<filter>

where:
- <atmail-server> is the Atmail WebMail server
- <filter> is the name of the selected filter by the user

A malicious user can inject arbitrary HTML/script code in the <filter>
parameter. Also, This POST

HTTP Request can become a GET HTTP Request, making it easier to exploit
the vulnerability.
For example:

http://<atmail-

server>/index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/se

archResultsTab5?searchQuery=&goBack=6&from=&to=&subject=&body=&filter=friends<H1><marquee>This

+is+an+XSS+example


3) Delete message process
When a user select and delete a message, the link is as follows:

POST
/index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash
HTTP/1.1Host:

<atmail-server>
...
resultContext=messageList&listFolder=INBOX&pageNumber=1&unseen%5B21%5D=0&mailId%5B

%5D=<MailID>&unseen%5B20%5D=0&unseen%5B16%5D=0&unseen%5B15%5D=0&unseen%5B14%5D=0&unseen

%5B12%5D=0&unseen%5B11%5D=0&unseen%5B10%5D=0&unseen%5B9%5D=0&unseen%5B8%5D=0&unseen

%5B6%5D=0&unseen%5B5%5D=0&unseen%5B4%5D=0&unseen%5B3%5D=0&unseen%5B2%5D=0&unseen%5B1%5D=0

where:
- <atmail-server> is the Atmail WebMail server
- <MailID> is the identifier (number) of the mail selected by the user

A malicious user can inject arbitrary HTML/script code in the <MailID>
parameter. Also, This POST

HTTP Request can become a GET HTTP Request, making it easier to exploit
the vulnerability.
For example:

http://<atmail-server>/index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash?

resultContext=messageList&listFolder=INBOX&pageNumber=1&unseen%5B21%5D=0&mailId%5B

%5D=<H1><marquee>This+is+an+XSS+example&unseen%5B20%5D=0&unseen%5B16%5D=0&unseen

%5B15%5D=0&unseen%5B14%5D=0&unseen%5B12%5D=0&unseen%5B11%5D=0&unseen%5B10%5D=0&unseen

%5B9%5D=0&unseen%5B8%5D=0&unseen%5B6%5D=0&unseen%5B5%5D=0&unseen%5B4%5D=0&unseen%5B3%5D=0&unseen

%5B2%5D=0&unseen%5B1%5D=0


V. BUSINESS IMPACT
-------------------------
An attacker can execute arbitrary HTML or script code in a targeted
user's browser, this can

leverage to steal sensitive information as user credentials, personal
data, etc.


VI. SYSTEMS AFFECTED
-------------------------
Tested in Atmail 7.0.2. Other versions may be affected too.


VII. SOLUTION
-------------------------
-


VIII. REFERENCES
-------------------------
http://www.atmail.com
http://www.isecauditors.com


IX. CREDITS
-------------------------
This vulnerability has been discovered
by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).


X. REVISION HISTORY
-------------------------
March 9, 2013: Initial release
March 22, 2013: Last revision


XI. DISCLOSURE TIMELINE
-------------------------
March 9, 2013: Discovered by Internet Security Auditors
March 22, 2013: Advisory updated with new XSS vulnerable resources
October 08, 2013: Firt contact with developer team
October 16, 2013: Second contact with developer team
November 28, 2013: Third contact with developer team
January 10, 2014: Last contact and release


XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is" with
no warranties or

guarantees of fitness of use or otherwise. Internet Security Auditors
accepts no responsibility

for any damage caused by the use or misuse of this information.


XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security,

penetration testing, security compliance implementation and assessing.
Our clients include some

of the largest companies in areas such as finance, telecommunications,
insurance, ITC, etc. We

are vendor independent provider with a deep expertise since 2001. Our
efforts in R&D include

vulnerability research, open security project collaboration and
whitepapers, presentations and

security events participation and promotion. For further information
regarding our security

services, contact us.
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close