SmarterMail version 7.x suffers from cross site scripting, shell upload and directory traversal vulnerabilities.
5542870334cfbed1b3626bc964047046d9f725188b24a641c1a04d3d7474cf98To: Vuln.Lists
Re: Coordinated Disclosure, SmarterMail 7.x Versions
Private Note - Rewrite as you wish, vendor has acknowledged these bugs (and
more) and issued a fix.
------------------------------
Author: Hoyt LLC Research | http://xss.cx | http://cloudscan.me
Identified: October 28, 2010
Vendor: SmarterTools <http://www.smartertools.com/>
Application: SmarterMail 7.x
Bug(s): Stored XSS, Reflected XSS, Directory Traversal, File Upload
Parameters, OS Execution, XML Injection, LDAP Injection, DoS
Patch: The Vendor has released SmarterMail Version 8 at URI
http://www.smartertools.com/Download.aspx?Product=SmarterMail&File=Installer&Version=8&Location=Primary
Timeline: Notify Vendor 10-28-2011 on Version 7.3 with respect to Stored
XSS, other Vulns
Vendor updates to Version 7.4 on 12.30.2010, Notify Vendor of
Stored XSS, other Vulns
Vendor updates to Version 8.0 on 3.10.2011
Publication: March 10, 2011 | Hoyt LLC Research publishes vulnerability
information for SmarterMail Version 7.3 and 7.4, building on Version 7.1 and
7.2 exploits known as
CVE-2010-3486<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3486>and
CVE-2010-3425 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3425> at
URI
http://www.cloudscan.me/2011/03/smartermail-73-74-full-disclosure-xss.html.
Hoyt LLC Research | March 10, 2011
SmarterMail Versions 7.x |
CWE-79<http://cwe.mitre.org/data/definitions/79.html>:
The software does not neutralize or incorrectly neutralizes
user-controllable input before it is placed in output that is used as a web
page that is served to other users.
Stored XSS - CWE-79, CAPEC-86 - SmarterMail Version 7.x SeriesSummary
Severity: *High
*Confidence: *Certain*Host: *http://SmarterMail 7.x.Hosts*Path: *
/Main/frmPopupContactsList.aspx*Issue detail - Confirmed in Versions 7.1,
7.2, 7.3 and 7.4The value of the
ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText request parameter
submitted to the URL /Main/frmContact.aspx is copied into the HTML document
as plain text between tags at the URL /Main/frmPopupContactsList.aspx. The
payload *9e8e5<script>alert(1)</script>5b211c9e81* was submitted in the
ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText parameter. This
input was returned unmodified in a subsequent request for the URL
/Main/frmPopupContactsList.aspx.
Full Disclsoure - SmarterMail 7.x - Blog Posts
http://www.cloudscan.me/2011/03/smartermail-73-74-full-disclosure-xss.html
http://www.cloudscan.me/2010/09/smartermail-7x-713876-bugs-cross-site.html
http://www.cloudscan.me/2010/09/smarter-mail-7x-713876-file-fuzzing.html
http://www.cloudscan.me/2010/10/vendor-smartertoolscom-smartermail-7x_07.html
http://www.cloudscan.me/2010/10/vendor-smartertoolscom-smartermail-7x.html
http://www.cloudscan.me/2010/10/smartermail-7x-723925.html
Full Disclosure- SmarterMail 7.x - Burp Suite Pro 1.3.08 + Netsparker Audit
Reports, HTML, XML Files, Screen Grabs.
http://xss.cx/examples/sm_7.2.3925_interim_report_1.htm
http://xss.cx/examples/sm_7.2.3925_interim_report_2.htm
http://xss.cx/examples/smartermail-7.2-report-interim-3.html
http://xss.cx/examples/sm-72-target.html
http://xss.cx/examples/sm_7.2.3925_stored_xss_audit_example.html
http://xss.cx/examples/sm_7.2.3925_file2_burp_1.3.08.html
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed