F-Secure
Tools
Merak Mail Server Web Mail "IMG" HTML Tag Script Insertion
| Report ID: | SA200800103 |
| Source: | Secunia |
| Date of Discovery: | 24.12.2008 |
| Criticality: | Moderate |
| Affects: | IceWarp Web Mail 5.x Merak Mail Server 9.x |
| Compromise From: | From remote |
| Compromise Type: | Cross site scripting |
Summary
Nenad Vijatov has discovered a vulnerability in Merak Mail Server, which can be exploited by malicious people to conduct script insertion attacks.
Detailed Description
Input passed via "<IMG>" HTML tags in emails is not properly sanitised before being displayed. This can be exploited to insert arbitrary HTML and script code via a specially crafted email, which is executed in a user's browser session in context of an affected site when the email is viewed.
The vulnerability is confirmed in version 9.3.2 for Windows. Other versions may also be affected.
The vulnerability is confirmed in version 9.3.2 for Windows. Other versions may also be affected.
Solution
Update to version 9.4.0, which fixes the vulnerability in the WebMail Pro Interface.
Development for "IceWarp Web Mail" and the WebMail Basic interface has been discontinued.
Development for "IceWarp Web Mail" and the WebMail Basic interface has been discontinued.