Author: Hoyt LLC Research | http://xss.cx | http://cloudscan.me
Identified: October 28, 2010
Vendor: SmarterTools
Application: SmarterMail 7.x
Bug(s): Stored XSS, Reflected XSS, Directory Traversal, File Upload Parameters, OS Execution, XML Injection, LDAP Injection, DoS
Patch: The Vendor has released SmarterMail Version 8 at URI http://www.smartertools.com/Download.aspx?Product=SmarterMail&File=Installer&Version=8&Location=Primary
Timeline: Notify Vendor 10-28-2011 on Version 7.3 with respect to Stored XSS, other Vulns
Vendor updates to Version 7.4 on 12.30.2010, Notify Vendor of Stored XSS, other Vulns
Vendor updates to Version 8.0 on 3.10.2011
Publication: March 10, 2011 | Hoyt LLC Research publishes vulnerability information for SmarterMail Version 7.3 and 7.4, building on Version 7.1 and 7.2 exploits known as CVE-2010-3486 and CVE-2010-3425 at URI http://www.cloudscan.me/2011/03/smartermail-73-74-full-disclosure-xss.html.
Hoyt LLC Research | March 10, 2011
SmarterMail Versions 7.x | CWE-79: The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Stored XSS - CWE-79, CAPEC-86 - SmarterMail Version 7.x Series
Summary
Severity: High
Confidence: Certain
Host: http://SmarterMail 7.x.Hosts
Path: /Main/frmPopupContactsList.aspx
Issue detail - Confirmed in Versions 7.1, 7.2, 7.3 and 7.4
The value of the ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText request parameter submitted to the URL /Main/frmContact.aspx is copied into the HTML document as plain text between tags at the URL /Main/frmPopupContactsList.aspx. The payload 9e8e5<script>alert(1)</script>5b211c9e81 was submitted in the ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText parameter. This input was returned unmodified in a subsequent request for the URL /Main/frmPopupContactsList.aspx.
Full Disclsoure - SmarterMail 7.x - Blog Posts
http://www.cloudscan.me/2011/03/smartermail-73-74-full-disclosure-xss.html
http://www.cloudscan.me/2010/09/smartermail-7x-713876-bugs-cross-site.html
http://www.cloudscan.me/2010/09/smarter-mail-7x-713876-file-fuzzing.html
http://www.cloudscan.me/2010/10/vendor-smartertoolscom-smartermail-7x_07.html
http://www.cloudscan.me/2010/10/vendor-smartertoolscom-smartermail-7x.html
http://www.cloudscan.me/2010/10/smartermail-7x-723925.html
Full Disclosure- SmarterMail 7.x - Burp Suite Pro 1.3.08 + Netsparker Audit Reports, HTML, XML Files, Screen Grabs.
http://xss.cx/examples/sm_7.2.3925_interim_report_1.htm
http://xss.cx/examples/sm_7.2.3925_interim_report_2.htm
http://xss.cx/examples/smartermail-7.2-report-interim-3.html
http://xss.cx/examples/sm-72-target.html
http://xss.cx/examples/sm_7.2.3925_stored_xss_audit_example.html
http://xss.cx/examples/sm_7.2.3925_file2_burp_1.3.08.html