Skip to content
cyberexploits
webappasptext

SmarterMail 7.3 / 7.4 - Multiple Vulnerabilities

SmarterMail 7.3 / 7.4 - Multiple Vulnerabilities

Published on 2011-03-10

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/asp/webapps/16955.txt7eac4c3a
raw
Author: Hoyt LLC Research | http://xss.cx | http://cloudscan.me

Identified: October 28, 2010



Vendor: SmarterTools

Application: SmarterMail 7.x

Bug(s): Stored XSS, Reflected XSS, Directory Traversal, File Upload Parameters, OS Execution, XML Injection, LDAP Injection, DoS



Patch: The Vendor has released SmarterMail Version 8 at URI http://www.smartertools.com/Download.aspx?Product=SmarterMail&File=Installer&Version=8&Location=Primary



Timeline: Notify Vendor 10-28-2011 on Version 7.3 with respect to Stored XSS, other Vulns

              Vendor updates to Version 7.4 on 12.30.2010, Notify Vendor of Stored XSS, other Vulns

              Vendor updates to Version 8.0 on 3.10.2011



Publication: March 10, 2011 | Hoyt LLC Research publishes vulnerability information for SmarterMail Version 7.3 and 7.4, building on Version 7.1 and 7.2 exploits known as CVE-2010-3486 and CVE-2010-3425 at URI http://www.cloudscan.me/2011/03/smartermail-73-74-full-disclosure-xss.html.



Hoyt LLC Research | March 10, 2011



SmarterMail Versions 7.x | CWE-79: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Stored XSS - CWE-79, CAPEC-86 - SmarterMail Version 7.x Series

Summary



Severity:  	High

Confidence:  	Certain

Host:  	http://SmarterMail 7.x.Hosts

Path:  	/Main/frmPopupContactsList.aspx

Issue detail - Confirmed in Versions 7.1, 7.2, 7.3 and 7.4



The value of the ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText request parameter submitted to the URL /Main/frmContact.aspx is copied into the HTML document as plain text between tags at the URL /Main/frmPopupContactsList.aspx. The payload 9e8e5<script>alert(1)</script>5b211c9e81 was submitted in the ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText parameter. This input was returned unmodified in a subsequent request for the URL /Main/frmPopupContactsList.aspx.



Full Disclsoure - SmarterMail 7.x - Blog Posts

http://www.cloudscan.me/2011/03/smartermail-73-74-full-disclosure-xss.html

http://www.cloudscan.me/2010/09/smartermail-7x-713876-bugs-cross-site.html

http://www.cloudscan.me/2010/09/smarter-mail-7x-713876-file-fuzzing.html

http://www.cloudscan.me/2010/10/vendor-smartertoolscom-smartermail-7x_07.html

http://www.cloudscan.me/2010/10/vendor-smartertoolscom-smartermail-7x.html

http://www.cloudscan.me/2010/10/smartermail-7x-723925.html



Full Disclosure- SmarterMail 7.x - Burp Suite Pro 1.3.08 + Netsparker Audit Reports, HTML, XML Files, Screen Grabs.

http://xss.cx/examples/sm_7.2.3925_interim_report_1.htm

http://xss.cx/examples/sm_7.2.3925_interim_report_2.htm

http://xss.cx/examples/smartermail-7.2-report-interim-3.html

http://xss.cx/examples/sm-72-target.html

http://xss.cx/examples/sm_7.2.3925_stored_xss_audit_example.html

http://xss.cx/examples/sm_7.2.3925_file2_burp_1.3.08.html
View on GitHub