‘Zaep AntiSpam Cross Site Scripting’

Summary

‘Beyond Security has discovered a security vulnerability in Zaep AntiSpam 2.0, the vulnerability would allow a remote attacker to use the Zaep program’s CGI to cause it to return third party content as if it were its own (A cross-site scripting vulnerability). This vulnerability would allow (depending on the web server’s configuration and site sensitivity) to steal cookies, display alternative information (cross-site defacement), or redirect users to malicious sites.’

Credit:

‘The information has been provided by Noam Rathaus.’


Details

Vulnerable Systems:
 * Zaep AntiSpam 2.0

Immune Systems:
 * Zaep AntiSpam 2.0.0.2

Once you send an email to an organization protected by Zaep, a URL like: http://vulnerable.zaep/?key=3d981f0f.4056b0a6.23285275 is issued. If you modify the URL to include <script>something</script>, the Zaep will convert the ‘/’ sign to , making the script clause not work properly. So far, this behavior will ‘protect’ the product from a cross-site scripting vulnerability. However, double encoding the / sign (%252F) will bypass this conversion, and allow you to insert malicious content (JavaScript, HTML, etc) into the page.

Exploit (for all the vulnerabilities):
http://vulnerable.zaep/?key=<script>alert(document.cookie)<%252Fscript>

Vendor response:
The vendor has been very cooperative and has issued a patch to redeem this issue as soon as they were notified of this issue (an its severity).’

Categories: Windows