Stored XSS on Communigate Pro 5.2.14 and prior versions 
CommuniGate Pro Web Mail URI Parsing HTML Injection Vulnerability
Jul 23 2009 04:09PM

- Description
The Communigate Pro webmail framework is prone to a stored Cross Site
Scripting vulnerability through crafted plain text email messages.

- Affected version:
5.2.14 and prior as reported from Communigate:
http://www.communigate.com/cgatepro/History52.html

- Details
This vulnerability can be exploited if an attacker sends a plain text
message to the victim address containing a malicious crafted URL;
the internal parser fails to parse the malicious URL and executes
Javascript code every time user reads the message.
An attacker may be able to use this vulnerability to steal sensitive
information from a user's computer (e.g. current SessionID) or force
the user's computer to execute stealth operations.

- Example of crafted URL
http://www.example.com/&z="><script>alert(document.cookie)</script>&f=

- Patch
Install Communigate Pro 5.2.15 as reported by Communigate:
5.2.15 15-Jul-2009: * Bug Fix: WebUser: 5.1.2: links in plain text
messages could be processed incorrectly.

- Links
http://www.communigate.com/cgatepro/
http://www.securityfocus.com/bid/35783/info


-- 
Andrea "bunker" Purificato
http://rawlab.mindcreations.com