Author: Hoyt LLC Research | http://xss.cx | http://cloudscan.me
Identified: March 14, 2011
Vendor: SmarterTools <http://www.smartertools.com/>
Application: SmarterMail Version 8.0
Bug(s): Stored XSS, Reflected XSS
Patch: None Available

Timeline: Notify Vendor simultaneous with Vendor

Publication:
http://www.cloudscan.me/2011/03/smartermail-80-stored-xss-reflected-xss.html

SUMMARY STATEMENT: CWE-79 <http://cwe.mitre.org/data/definitions/79.html>:
The software does not neutralize or incorrectly neutralizes
user-controllable input before it is placed in output that is used as a web
page that is served to other users.
Stored XSS - CWE-79, CAPEC-86

------------------------------
  Issue:    *Cross-site scripting (stored)*   Severity:    *High*
Confidence:
*Certain*   Host:    *http://vulnerable.smartermail.80.site:9998*   Path:
*/Main/frmPopupContactsList.aspx*
------------------------------
[image: smartermail-80-stored-xss-3.JPG]
 Issue detail The value of the
ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText request parameter
submitted to the URL /Main/frmContact.aspx is copied into the HTML document
as plain text between tags at the URL /Main/frmPopupContactsList.aspx. The
payload *e7bf9<script>alert(1)</script>96f90bed938* was submitted in the
ctl00%24MPH%24wucContactInfo%24txtEmailAddress_SettingText parameter. This
input was returned unmodified in a subsequent request for the URL
/Main/frmPopupContactsList.aspx.

This proof-of-concept attack demonstrates that it is possible to inject
arbitrary JavaScript into the application's response.


Blog URI Post
http://www.cloudscan.me/2011/03/smartermail-80-stored-xss-reflected-xss.html
Full Disclosure Report URI
http://xss.cx/examples/smartermail-80-full-disclosure-report-hoyt-llc-research.html



More to come..