exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Scalix Web Access 11.4.6.12377 / 12.2.0.14697 XXE Injection / XSS

Scalix Web Access 11.4.6.12377 / 12.2.0.14697 XXE Injection / XSS
Posted Oct 31, 2014
Authored by A. Kolmann, R. Giruckas | Site sec-consult.com

Scalix Web Access versions 11.4.6.12377 and 12.2.0.14697 suffer from cross site scripting and XXE injection vulnerabilities.

tags | advisory, web, vulnerability, xss, xxe
SHA-256 | 06005f4468db5341e14d28b6675844085a2d7dcf7832f80cd854ed5ae0b5f8e6

Scalix Web Access 11.4.6.12377 / 12.2.0.14697 XXE Injection / XSS

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20141031-0 >
=======================================================================
title: XML External Entity Injection (XXE) and Reflected XSS
product: Scalix Web Access
vulnerable version: 11.4.6.12377 and 12.2.0.14697
fixed version: -
impact: Critical
homepage: http://www.scalix.com/
found: 2014-08-27
by: R. Giruckas, A. Kolmann
SEC Consult Vulnerability Lab
https://www.sec-consult.com
=======================================================================

Vendor description:
-------------------
"Employees need to access their email from wherever they happen to be – on the
road, at customer sites, remote offices, and at home. Users who need remote
access to their email often include customer-facing sales and support
personnel, who need to stay connected and informed to be responsive to
customers. The problem is, most web clients have slow performance and limited
functionality. Scalix Web Access is different. It is an AJAX-based web client
that delivers the look and feel, usability and performance of a desktop
application."

Source: http://www.scalix.com/communityedition-scalixwebaccess


Business recommendation:
------------------------
By exploiting the XXE vulnerability, an unauthenticated attacker can get
read access to the filesystem of the Scalix Mail Server host and thus obtain
sensitive information such as the configuration files, etc.
It is also possible to scan ports of the internal hosts and cause DoS on
the affected host.


Vulnerability overview/description:
-----------------------------------
1) XML External Entity Injection
The used XML parser is resolving external XML entities which allows attackers
to read files and send requests to systems on the internal network (e.g port
scanning). The risk of this vulnerability is highly increased by the fact
that it can be exploited by anonymous users without existing user accounts.

2) Reflected XSS
The Scalix mail administration login panel is prone to the reflected cross site
scripting attacks. The vulnerability can be used to include HTML or JavaScript
code to the affected web page. The code is executed in the browser of users
if they visit the manipulated URL.


Proof of concept:
-----------------
The proof of concept information has been removed from this advisory as the
vendor failed to respond within 50 days and no patch is available.


1) XML External Entity Injection
The unauthenticated XML External Entity Injection vulnerability can be
exploited by issuing a specially crafted HTTP POST request to the [removed]
handler.


2) Reflected XSS
The supplied parameter value in the [removed] script is reflected without
proper validation and executed in the context of the web browser.


Vulnerable / tested versions:
-----------------------------
The XXE vulnerability has been verified to exist in the Scalix Web Access
version 11.4.6.12377 and 12.2.0.14697.

The reflected XSS vulnerability has been verified to exist in the Scalix Web Access
version 11.4.6.12377. Version 12 has not been tested against XSS.


Vendor contact timeline:
------------------------
2014-09-11: Contacting vendor through info@scalix.com, requesting encryption
keys and attaching responsible disclosure policy
2014-10-13: No response so far, hence trying again by contacting vendor
through info@scalix.com
2014-10-28: No response so far, hence trying again by contacting vendor
through info@scalix.com
2014-10-31: SEC Consult releases security advisory


Solution:
---------
None available.


Workaround:
-----------
There is no workaround known other than to disable Scalix Web Access until a
thorough security review has been performed and patches are available.


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab

SEC Consult
Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

Headquarter:
Mooslackengasse 17, 1190 Vienna, Austria
Phone: +43 1 8903043 0
Fax: +43 1 8903043 15

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

Interested to work with the experts of SEC Consult?
Write to career@sec-consult.com

EOF A. Kolmann / @2014

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close