... Loading ...

SSD Secure Disclosure

Disclosing vulnerabilities responsibly since 2007
Dark Theme

SSD Advisory – MDaemon Mail Server Multiple XSS Vulnerabilities

Vulnerabilities Summary
The following advisory describes two XSS vulnerabilities found in MDaemon Mail Server which lets attackers send emails with malicious payloads and run client side code on victim’s browsers just by opening an email.

CVE
CVE-2019-8983
CVE-2019-8984

Credit
An independent security researcher, Zhong Zhaochen, has reported this vulnerability to SSD Secure Disclosure program.

Affected systems
MDaemon mail Server versions 14.0.x – 18.5.x

Vendor Response

Two cross-site scripting (XSS) vulnerabilities in MDaemon Webmail (WorldClient) were recently reported by SecuritiTeam Secure Disclosure (SSD). These vulnerabilities may impact all browser types.

To address this issue, the development team at MDaemon Technologies has released patches for affected versions of MDaemon.

For specific information, see the Affected Software Section below.

Recommendation:

For MDaemon installations, MDaemon Technologies recommends that administrators download and install the appropriate update listed below.

Known Issues:

There are no known issues that customers may experience when installing this patch.

Vulnerability Details

The first vulnerability lies in the html attachment feature of MDaemon. Attackers can send malicious html documents, and when the victim will open the attachment, it’ll be opened in the browser and will run the attacker’s client side code.

When the victim clicks the html file with this content:

It will open the attachment immediately and will run the attackers client side code.

The second XSS vulnerability is inside the content itself of the email. Attackers can exploit this vulnerability in order to steal any folder/contact of the victim’s email and forward them to himself. 

The Mdeamon server serves the XSS content with an error method.

The XSS filter don’t deal well with the “<!—-” as the attribute of the html element which can bypass the XSS filter. We can bypass the filter in this way:

Once the victim opens the mail with the malicious payload, the code that the attacker injected will run immediately. 

Exploit:

This is exploit which will send from attackers email a malicious email to the victim with a payload that will send back the attacker the victim’s mails.

 

Print Friendly, PDF & Email

Leave a Reply