full-disclosure-uk May 2007 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] CommuniGate Pro web mail p

[Full-disclosure] CommuniGate Pro web mail persistent cross-site scripting vulnerability

From: Alla Bezroutchko <alla_at_nospam>
Date: Sat May 12 2007 - 21:00:25 GMT
To: full-disclosure@lists.grok.org.uk

  1. Summary

Affected software: Stalker CommuniGate Pro version 5.1.8 and below Vendor URL: www.stalker.com Severity: Medium

2) Vulnerability Description

CommuniGate Pro is a communication server supporting a large number of protocols. It includes a web mail system. The web mail system suffers from a persistent cross-site scripting vulnerability. Web mail application fails to sanitize incoming HTML emails properly. An attacker can send a specially crafted email message to a user of CommuniGate Pro. When the user views the attacker's message using web mail client and Internet Explorer, the JavaScript embedded into attacker's message gets executed. The attacker can use JavaScript code to perform any actions in the web mail on behalf of the user, for example change settings, steal messages, etc.

3) Verification

Send an HTML email message containing the following code and view it with Internet Explorer using CommuniGate Pro web mail client:

<STYLE>@im\port'\ja\vasc\ript:alert("XSS in message body (style using import)")';</STYLE>

4) Solution

Upgrade to CommuniGate Pro version 5.1.9.

5) Time Table 2005/11/18 Vendor was informed 2005/11/19 Vendor replied saying that they will investigate the report 2007/04/30 Vendor was notified again 2007/05/12 Vendor releases fixed version 2007/05/12 Scanit publishes advisory

6) Additional Information

Scanit is a security company located in Brussels, Belgium. We specialise in security assessments, offering services such as penetration tests, application source code reviews, and risk assessments. More information can be found at http://www.scanit.be/

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/