[NT] Zaep AntiSpam Cross Site Scripting
From: SecuriTeam (support_at_securiteam.com)
Date: 04/14/04
- Previous message: SecuriTeam: "[NT] Microsoft Help and Support Center Argument Injection Vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 14 Apr 2004 09:41:24 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Zaep AntiSpam Cross Site Scripting
------------------------------------------------------------------------
SUMMARY
Beyond Security has discovered a security vulnerability in
<http://www.zaep.com/> Zaep AntiSpam 2.0, the vulnerability would allow a
remote attacker to use the Zaep program's CGI to cause it to return third
party content as if it were its own (A cross-site scripting
vulnerability). This vulnerability would allow (depending on the web
server's configuration and site sensitivity) to steal cookies, display
alternative information (cross-site defacement), or redirect users to
malicious sites.
DETAILS
Vulnerable Systems:
* Zaep AntiSpam 2.0
Immune Systems:
* Zaep AntiSpam 2.0.0.2
Once you send an email to an organization protected by Zaep, a URL like:
http://vulnerable.zaep/?key=3d981f0f.4056b0a6.23285275 is issued. If you
modify the URL to include <script>something</script>, the Zaep will
convert the '/' sign to \, making the script clause not work properly. So
far, this behavior will "protect" the product from a cross-site scripting
vulnerability. However, double encoding the / sign (%252F) will bypass
this conversion, and allow you to insert malicious content (JavaScript,
HTML, etc) into the page.
Exploit (for all the vulnerabilities):
Vendor response:
ADDITIONAL INFORMATION
The information has been provided by <mailto:expert@securiteam.com> Noam
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
====================
DISCLAIMER:
http://vulnerable.zaep/?key=
The vendor has been very cooperative and has issued a patch to redeem this
issue as soon as they were notified of this issue (an its severity).
Rathaus.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
Relevant Pages
... Tenable Security ... distribute, manage, and communicate vulnerability and intrusion detection ... Microsoft Internet Explorer MHTML Forced File Execution Vuln... ...
(Focus-Microsoft)
... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
(Focus-Microsoft)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... CSS Heap Memory Corruption Vulnerability, ... Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 ...
(Securiteam)
... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
(Focus-Microsoft)
... MICROSOFT VULNERABILITY SUMMARY ... Geeklog Forgot Password SQL Injection Vulnerability ... Atrium Software Mercur Mailserver IMAP AUTH Remote Buffer Ov... ... Sun Java Virtual Machine Slash Path Security Model Circumven... ...
(Focus-Microsoft)
