Zaep AntiSpam Cross Site Scripting ------------------------------------------------------------------------ Article reference: http://www.securiteam.com/windowsntfocus/5EP0I15CKK.html SUMMARY Beyond Security has discovered a security vulnerability in Zaep AntiSpam 2.0, the vulnerability would allow a remote attacker to use the Zaep program's CGI to cause it to return third party content as if it were its own (A cross-site scripting vulnerability). This vulnerability would allow (depending on the web server's configuration and site sensitivity) to steal cookies, display alternative information (cross-site defacement), or redirect users to malicious sites. DETAILS Vulnerable Systems: * Zaep AntiSpam 2.0 Immune Systems: * Zaep AntiSpam 2.0.0.2 Once you send an email to an organization protected by Zaep, a URL like: http://vulnerable.zaep/?key=3d981f0f.4056b0a6.23285275 is issued. If you modify the URL to include , the Zaep will convert the '/' sign to \, making the script clause not work properly. So far, this behavior will "protect" the product from a cross-site scripting vulnerability. However, double encoding the / sign (%252F) will bypass this conversion, and allow you to insert malicious content (JavaScript, HTML, etc) into the page. Exploit (for all the vulnerabilities): http://vulnerable.zaep/?key=