exploit the possibilities

Winmail Server 4.2 Cross Site Scripting

Winmail Server 4.2 Cross Site Scripting
Posted Aug 30, 2015
Authored by Jing Wang

Winmail Server version 4.2 suffers from a cross site scripting vulnerability.

tags | exploit, xss
MD5 | 7d72d759bb5d3d1e28fdcf17909caf37

Winmail Server 4.2 Cross Site Scripting

Change Mirror Download
*Winmail Server 4.2 Reflected XSS (Cross-site Scripting) Web Application
0-Day Security Bug*



Exploit Title: Winmail Server badlogin.php &lid parameter Reflected XSS Web
Security Vulnerability
Product: Winmail Server
Vendor: Winmail Server
Vulnerable Versions: 4.2 4.1
Tested Version: 4.2 4.1
Advisory Publication: August 24, 2015
Latest Update: August 30, 2015
Vulnerability Type: Cross-Site Scripting [CWE-79]
CVE Reference:
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)
Impact Subscore: 2.9
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with
attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized modification
Discover and Reporter: Wang Jing [School of Physical and Mathematical
Sciences (SPMS), Nanyang Technological University (NTU), Singapore]
(@justqdjing)









*Suggestion Details:*


*(1) Vendor & Product Description:*


*Vendor:*
Winmail Server



*Product & Vulnerable Versions:*
Winmail Server
4.2 4.1



*Vendor URL & Download:*
Product can be obtained from here,
http://www.magicwinmail.net/download.asp




*Product Introduction Overview:*
"Winmail Server is an enterprise class mail server software system offering
a robust feature set, including extensive security measures. Winmail Server
supports SMTP, POP3, IMAP, Webmail, LDAP, multiple domains, SMTP
authentication, spam protection, anti-virus protection, SSL security,
Network Storage, remote access, Web-based administration, and a wide array
of standard email options such as filtering, signatures, real-time
monitoring, archiving, and public email folders. Winmail Server can be
configured as a mail server or gateway for ISDN, ADSL, FTTB and cable modem
networks, beyond standard LAN and Internet mail server configurations."








*(2) Vulnerability Details:*
Winmail Server web application has a computer security problem. Hackers can
exploit it by reflected XSS cyber attacks. This may allow a remote attacker
to create a specially crafted request that would execute arbitrary script
code in a user's browser session within the trust relationship between
their browser and the server.

Several other similar products 0-day vulnerabilities have been found by
some other bug hunter researchers before. Winmail Server has patched some
of them. "scip AG was founded in 2002. We are driven by innovation,
sustainability, transparency, and enjoyment of our work. We are completely
self-funded and are thus in the comfortable position to provide completely
independent and neutral services. Our staff consists of highly specialized
experts who focus on the topic information security and continuously
further their expertise through advanced training". Scip has recorded
similar XSS bugs, such as scipID 26980.



*(2.1) *The code flaw occurs at "&lid" parameter in "badlogin.php" page. In
fact, CVE-2005-3692 mentions that "&retid" parameter in "badlogin.php" page
is vulnerable to XSS attacks. But it does not mention "&lid" parameter".
The scipID of the bug is 26980. Bugtraq (SecurityFocus) ID is 15493. OSVDB
ID is 20926.







*References:*
http://tetraph.com/security/xss-vulnerability/winmail-server-4-2-reflected-xss/
http://securityrelated.blogspot.com/2015/08/winmail-server-42-reflected-xss.html
http://seclists.org/fulldisclosure/2015/May/103
http://marc.info/?l=full-disclosure&m=143110916812709&w=4
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/2028
http://webtech.lofter.com/post/1cd3e0d3_6eef8c8
http://whitehatpost.blog.163.com/blog/static/242232054201573091630996/
https://hackertopic.wordpress.com/2015/08/25/winmail-server-4-2-reflected-xss/
http://whitehatview.tumblr.com/post/118853357881/tetraph-cve-2014-9468-instantasp
http://marc.info/?l=full-disclosure&m=142649827629327&w=4
https://packetstormsecurity.com/files/132029/SITEFACT-CMS-2.01-Cross-Site-Scripting.html






--
Jing Wang,
Division of Mathematical Sciences (MAS),
School of Physical and Mathematical Sciences (SPMS),
Nanyang Technological University (NTU), Singapore.
http://www.tetraph.com/wangjing/
https://twitter.com/justqdjing


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    24 Files
  • 2
    Oct 2nd
    15 Files
  • 3
    Oct 3rd
    7 Files
  • 4
    Oct 4th
    4 Files
  • 5
    Oct 5th
    10 Files
  • 6
    Oct 6th
    1 Files
  • 7
    Oct 7th
    21 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    5 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    17 Files
  • 12
    Oct 12th
    4 Files
  • 13
    Oct 13th
    4 Files
  • 14
    Oct 14th
    15 Files
  • 15
    Oct 15th
    19 Files
  • 16
    Oct 16th
    25 Files
  • 17
    Oct 17th
    17 Files
  • 18
    Oct 18th
    3 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close