1) Summary Affected software: Stalker CommuniGate Pro version 5.1.8 and below Vendor URL: www.stalker.com Severity: Medium 2) Vulnerability Description CommuniGate Pro is a communication server supporting a large number of protocols. It includes a web mail system. The web mail system suffers from a persistent cross-site scripting vulnerability. Web mail application fails to sanitize incoming HTML emails properly. An attacker can send a specially crafted email message to a user of CommuniGate Pro. When the user views the attacker's message using web mail client and Internet Explorer, the JavaScript embedded into attacker's message gets executed. The attacker can use JavaScript code to perform any actions in the web mail on behalf of the user, for example change settings, steal messages, etc. 3) Verification Send an HTML email message containing the following code and view it with Internet Explorer using CommuniGate Pro web mail client: 4) Solution Upgrade to CommuniGate Pro version 5.1.9. 5) Time Table 2005/11/18 Vendor was informed 2005/11/19 Vendor replied saying that they will investigate the report 2007/04/30 Vendor was notified again 2007/05/12 Vendor releases fixed version 2007/05/12 Scanit publishes advisory 6) Additional Information * The original advisory can be found here: http://www.scanit.be/advisory-2007-05-12.html * An automatic tool for checking for cross-site scripting problems in web mail systems can be downloaded here: http://www.scanit.be/excess.html * Special thanks to RSnake for his XSS cheatsheet (http://ha.ckers.org/xss.html) 7) About Scanit Scanit is a security company located in Brussels, Belgium. We specialise in security assessments, offering services such as penetration tests, application source code reviews, and risk assessments. More information can be found at http://www.scanit.be/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/