Skip to navigation Skip to main content Skip to footer

Symantec Messaging Gateway Out of band stored XSS delivered by email

05 November 2015

By R.Rivera

Summary

Name: Symantec Messaging Gateway – Out-of-band stored-XSS delivered by email
Release Date: 30 November 2012
Reference: NGS00268
Discoverer: Ben Williams
Vendor: Symantec
Vendor Reference:
Systems Affected: Symantec Messaging Gateway 9.5.3-3
Risk: Critical
Status: Published

TimeLine

Discovered: 17 April 2012
Released: 17 April 2012
Approved: 29 April 2012
Reported: 30 April 2012
Fixed: 27 August 2012
Published: 30 November 2012

Description

I. VULNERABILITY

Symantec Messaging Gateway 9.5.3-3 – Out-of-band stored-XSS – delivered by email

II. BACKGROUND

Symantec Messaging Gateway 9.5.3-3 is the latest version, of their Email Security Appliance

III. DESCRIPTION

This issue means that an attacker can construct a malicious email message, containing arbitrary javascript in the subject line. When the message audit log is viewed (by an administrator) the script will execute in the context of the logged in admin.

This is a very serious issue, because the attack vector is a spam email, and the admin only has to view the messages in the audit log for the payload to execute. (Payloads could include any management or reconfiguration actions within the UI, or redirecting the user to other malicious content)

Additionally, the spam email containing the script can easily be made invisible within the UI, and/or damage the rendering of the UI to prevent itself from being noticed.

Technical Details

IV. PROOF OF CONCEPT

There are several ways to exploit this issue, here is an example using a script in the subject line, to produce a pop-up:

For example a message can be sent with the following subject line:

Something boring here…”>

Which could be sent with an automated script for example:

./sendEmail -s 192.168.1.59:25 -u “Something boring here…”>”” -f c@d.com -t bob@insidetrust.com -o message-file=spam1.txt
(the body can contain any content)