March 2007
CommuniGate Pro - Webmail XSS Session Hijacking Vulnerability
ID: 80
Ref: 022/2007
Date: 07 March 2007:18:54:36
Version: 1
Title: CommuniGate Pro - Webmail XSS Session Hijacking Vulnerability
Abstract: The CommuniGate Pro application provides a web based application allowing users to retrieve emails using a web browser. However, email content is not sufficiently sanitised and can result in the execution of arbitrary scripts.
Vendors affected: CommuniGate
Applications affected: CommuniGate
Date: 2007-02-27
Severity: High Risk
Local/Remote: Remote
Vulnerability Class: XSS / Information Disclosure Vendor URL: www.communigate.com Vendor Response: A fix has been implemented for version 5.1.7 Exploit Details Included: Yes OWASP Designation: Cross Site Scripting (A4) Web Application Language: Custom/Unknown Affected versions: 5.1.X up to and including 5.1.6.
Impact:
The vulnerability potentially allows for a user's session to be hijacked and for other malicious scripts to be executed within the context of the user's browser window.
Overview:
The CommuniGate Pro application provides a web based application allowing users to retrieve emails using a web browser. However, email content is not sufficiently sanitised and can result in the execution of arbitrary scripts. On accessing the web interface of the application the user is assigned a session ID, by sending a specially crafted email an attacker would be able to trick the user into transmitting their session ID to the attacker. The vulnerability affects the majority of the skins available for the application. CommuniGate have confirmed that the following skins are affected:
. GoldenFleece
. Simplex
. Viewpoint
. Aquinox
. Overview
. Xchange
Cause:
The vulnerability is the result of insufficient sanitisation of email content when the user chooses to reply to an email. Some areas of the application safely display potentially malicious content and JavaScript without first executing it.
However, on choosing to reply to an email, scripts contained within the email being replied to are interpreted by the browser giving an attacker a vector for performing XSS attacks.
Interim Workaround:
It should be ensured that the "Fixed Address Check" option is not disabled unless essential and particular caution should be taken when replying to all messages.
This check ensures that a user's session is only ever accessible from a single IP address and may help prevent session hijacking. Additionally users should ensure that they correctly log out of the application on exiting and that one of the unaffected skins is used.
Solution:
CommuniGate have addressed this issue and implemented a fix in version 5.1.7 with reference "Bug Fix: WebSkins: 5.1c3". Version 5.1.7 can be downloaded from the following location:
ftp://ftp.communigate.com/pub/CommuniGatePro/5.1
The CPNI Vulnerability Team would like to thank MWR InfoSecurity for informing us of a vulnerability in the webmail portion of the Communigate Pro mail server.
More details can be found from the MWR news item
(http://www.mwrinfosecurity.com/news/1651.html) or the full vulnerability notice at http://www.mwrinfosecurity.com/advisories/mwri_communigate-xss-advisory_2007-02-27.pdf."
______________________________________________________________________________
CPNI values your feedback.
1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)
Very useful:__ Useful:__ Not useful:__
2. If you did not find it useful, why not?
3. Any other comments? How could we improve our advisories?
Thank you for your contribution.
______________________________________________________________________________
CPNI wishes to acknowledge the contributions of MWR InfoSecurity for the information contained in this advisory.
______________________________________________________________________________