SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (E-mail Server)  >   CommuniGate Pro Vendors:   Stalker Software, Inc.
CommuniGate Pro Input Validation Hole in Style Tags Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1018048
SecurityTracker URL:  http://securitytracker.com/id/1018048
CVE Reference:   CVE-2007-2718   (Links to External Site)
Updated:  May 12 2008
Original Entry Date:  May 14 2007
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 5.1.8 and prior versions
Description:   A vulnerability was reported in CommuniGate Pro. A remote user can conduct cross-site scripting attacks.

The webmail system does not properly filter HTML code from user-supplied e-mail messages before displaying the message. A remote user can send a specially crafted message that, when viewed by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the CommuniGate Pro software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

A demonstration exploit is provided:

<STYLE>@im\port'\ja\vasc\ript:alert("XSS in message body (style using
import)")';</STYLE>

The vendor was notified on November 18, 2005.

Scanit discovered this vulnerability.

The original advisory is available at:

http://www.scanit.be/advisory-2007-05-12.html

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the CommuniGate Pro software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor has issued a fixed version (5.1.9).
Vendor URL:  www.stalker.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Sat, 12 May 2007 23:00:25 +0200
Subject:  [Full-disclosure] CommuniGate Pro web mail persistent cross-site

1) Summary

Affected software: Stalker CommuniGate Pro version 5.1.8 and below
Vendor URL:        www.stalker.com
Severity:          Medium

2) Vulnerability Description

CommuniGate Pro is a communication server supporting a large number of
protocols. It includes a web mail system. The web mail system suffers
from a persistent cross-site scripting vulnerability. Web mail
application fails to sanitize incoming HTML emails properly. An attacker
can send a specially crafted email message to a user of CommuniGate Pro.
When the user views the attacker's message using web mail client and
Internet Explorer, the JavaScript embedded into attacker's message gets
executed. The attacker can use JavaScript code to perform any actions
in the web mail on behalf of the user, for example change settings,
steal messages, etc.

3) Verification

Send an HTML email message containing the following code and view it
with Internet Explorer using CommuniGate Pro web mail client:

<STYLE>@im\port'\ja\vasc\ript:alert("XSS in message body (style using
import)")';</STYLE>

4) Solution

Upgrade to CommuniGate Pro version 5.1.9.

5) Time Table

2005/11/18 Vendor was informed
2005/11/19 Vendor replied saying that they will investigate the report
2007/04/30 Vendor was notified again
2007/05/12 Vendor releases fixed version
2007/05/12 Scanit publishes advisory

6) Additional Information

    * The original advisory can be found here:
http://www.scanit.be/advisory-2007-05-12.html
    * An automatic tool for checking for cross-site scripting problems
in web mail systems can be downloaded here: http://www.scanit.be/excess.html
    * Special thanks to RSnake for his XSS cheatsheet
(http://ha.ckers.org/xss.html)


7) About Scanit

Scanit is a security company located in Brussels, Belgium. We specialise
in security assessments, offering services such as penetration tests,
application source code reviews, and risk assessments. More information
can be found at http://www.scanit.be/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC