Products: IMail Server Plus, IMail Server Premium, IMail Server

Cross Site Scripting Vulnerability v12

« Go Back

Information

 
Description
A Cross Site Scripting (XSS) vulnerability was discovered within the IMail web interface by an anonymous researcher working with Beyond Security's SecuriTeam Secure Disclosure program http://www.beyondsecurity.com/ssd.html

This vulnerability could allow an attacker to inject XSS into an email to extract information about the web session, then possibly hijack the session and take over the user's account.

We would like to thank them for letting us know about this vulnerability.

This XSS vulnerability DOES NOT affect versions prior to 12.0. 
Solution
We have a patch that will correct this vulnerability and you may handle it in one of two ways:
 
Option Number 1: If you ARE NOT CURRENTLY running Imail version 12.5.3: Download and upgrade IMail to version 12.5.3.99 from this link.

Option Number 2:  If you Are Currently on IMail version 12.5.3, you may download the new WebClient v2 zip file from this link and follow these steps, or use Option 1.
  1. Download and save the zip file to your server
  2. Stop the World Wide Publishing Service in Windows Services
  3. Rename the ...\IMail\WebDir\WebClient v2 directory to something else
  4. Unzip the new WebClient v2 into the ...\IMail\WebDir directory
    Note: If you have customized or branded the web interface, copy .\IMail\WebDir\WebClient v2\Login\DomainBranding from the old directory to the new.
  5. Ensure the Windows Permissions are set on the new folder
    • Right mouse click on WebClient v2 folder and select properties
    • Click on the Security Tab
    • Click the Advanced button
    • Make sure inherit from parent is selected
    • Click OK to close properties windows
  6. Restart the World Wide Web Publishing Service
  7. Test Web Mail
Version12.0; 12.1; 12.2; 12.3; 12.4; 12.5; 12.5.1; 12.5.2; 12.5.3
Attachment 

 
Customer Service Softwaresalesforce.comHome | Product