SSD Advisory – Axigen HTML Attachments Cross Site Scripting

SecuriTeam Secure Disclosure
SecuriTeam Secure Disclosure (SSD) provides the support you need to turn your experience uncovering security vulnerabilities into a highly paid career. SSD was designed by researchers for researchers and will give you the fast response and great support you need to make top dollar for your discoveries.
Introduction
Axigen is a Linux mail server, calendaring and collaboration 100% private, highly available and scalable messaging solution.
Vulnerability Details
The vulnerability is in the “actions.hsp” file that is responsible for visualizing certain attachments. The problem occurs because this file enables arbitrarily execution of JavaScript. Not only that, the application “by default” runs the attachment in the same domain so many other more complex attacks.

The attack is done by creating an HTML file with a simple script for example:

<script> alert (1) </ script> <- this script works in all browsers.

You can generate it with notepad, in fact you can also add a blank and a false extension to make it more “attractive”
axigen_a_jpeg
Save the file, send it with a mail service such as, Google mail:
axigen_gmail_send
And the result is this, open the attachment and it will run the XSS:
axigen_open
axigen_open_alert
CVE
A single CVE entry has been assigned to this vulnerability: CVE-2015-5379
Vendor Response
The vendor response was exceptionally good, their response time and issuing of the patch has taken them less than 1 month:

Axigen’s WebMail Ajax interface implements a view attachment function that executes javascript code that is part of email HTML attachments. This allows a malicious user to craft email messages that could expose an Axigen WebMail Ajax user to cross site scripting or other attacks that rely on arbitrary javascript code running within a trusted domain.
Axigen versions starting with 9.0 address this issue by limiting the attachment types that are loaded in the browser. For earlier Axigen versions patches are available on the Axigen support
channel.
Affected Products and Versions: Axigen Mail Server 8.x versions
Vendor Internal ID: AXI-CVE-20150601
Vendor security advisory : Ajax WebMail 8.x security patch (CVE-2015-5379)