To: Vuln.Lists
Re: Coordinated Disclosure, SmarterMail 7.x Versions
Private Note - Rewrite as you wish, vendor has acknowledged these bugs (and
more) and issued a fix.
------------------------------
Author: Hoyt LLC Research | http://xss.cx | http://cloudscan.me
Identified: October 28, 2010

Vendor: SmarterTools <http://www.smartertools.com/>
Application: SmarterMail 7.x
Bug(s): Stored XSS, Reflected XSS, Directory Traversal, File Upload
Parameters, OS Execution, XML Injection, LDAP Injection, DoS

Patch: The Vendor has released SmarterMail Version 8 at URI
http://www.smartertools.com/Download.aspx?Product=SmarterMail&File=Installer&Version=8&Location=Primary

Timeline: Notify Vendor 10-28-2011 on Version 7.3 with respect to Stored
XSS, other Vulns
              Vendor updates to Version 7.4 on 12.30.2010, Notify Vendor of
Stored XSS, other Vulns
              Vendor updates to Version 8.0 on 3.10.2011

Publication: March 10, 2011 | Hoyt LLC Research publishes vulnerability
information for SmarterMail Version 7.3 and 7.4, building on Version 7.1 and
7.2 exploits known as
CVE-2010-3486<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3486>and
CVE-2010-3425 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3425> at
URI
http://www.cloudscan.me/2011/03/smartermail-73-74-full-disclosure-xss.html.

Hoyt LLC Research | March 10, 2011

SmarterMail Versions 7.x |
CWE-79<http://cwe.mitre.org/data/definitions/79.html>:
The software does not neutralize or incorrectly neutralizes
user-controllable input before it is placed in output that is used as a web
page that is served to other users.
Stored XSS - CWE-79, CAPEC-86 - SmarterMail Version 7.x SeriesSummary
Severity:  *High
*Confidence:  *Certain*Host:  *http://SmarterMail 7.x.Hosts*Path:  *
/Main/frmPopupContactsList.aspx*Issue detail - Confirmed in Versions 7.1,
7.2, 7.3 and 7.4The value of the
ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText request parameter
submitted to the URL /Main/frmContact.aspx is copied into the HTML document
as plain text between tags at the URL /Main/frmPopupContactsList.aspx. The
payload *9e8e5<script>alert(1)</script>5b211c9e81* was submitted in the
ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText parameter. This
input was returned unmodified in a subsequent request for the URL
/Main/frmPopupContactsList.aspx.

Full Disclsoure - SmarterMail 7.x - Blog Posts
http://www.cloudscan.me/2011/03/smartermail-73-74-full-disclosure-xss.html
http://www.cloudscan.me/2010/09/smartermail-7x-713876-bugs-cross-site.html
http://www.cloudscan.me/2010/09/smarter-mail-7x-713876-file-fuzzing.html
http://www.cloudscan.me/2010/10/vendor-smartertoolscom-smartermail-7x_07.html
http://www.cloudscan.me/2010/10/vendor-smartertoolscom-smartermail-7x.html
http://www.cloudscan.me/2010/10/smartermail-7x-723925.html

Full Disclosure- SmarterMail 7.x - Burp Suite Pro 1.3.08 + Netsparker Audit
Reports, HTML, XML Files, Screen Grabs.
http://xss.cx/examples/sm_7.2.3925_interim_report_1.htm
http://xss.cx/examples/sm_7.2.3925_interim_report_2.htm
http://xss.cx/examples/smartermail-7.2-report-interim-3.html
http://xss.cx/examples/sm-72-target.html
http://xss.cx/examples/sm_7.2.3925_stored_xss_audit_example.html
http://xss.cx/examples/sm_7.2.3925_file2_burp_1.3.08.html