XML External Entity Injection (XXE) and Reflected XSS in Scalix Web Access

SEC Consult Vulnerability Lab Security Advisory < 20141031-0 >

=======================================================================

title: XML External Entity Injection (XXE) and Reflected XSS

product: Scalix Web Access

vulnerable version: 11.4.6.12377 and 12.2.0.14697

fixed version: -

impact: Critical

homepage: www.scalix.com

found: 2014-08-27

by: R. Giruckas, A. Kolmann

SEC Consult Vulnerability Lab

www.sec-consult.com

=======================================================================

Vendor description:

-------------------

"Employees need to access their email from wherever they happen to be – on the

road, at customer sites, remote offices, and at home. Users who need remote

access to their email often include customer-facing sales and support

personnel, who need to stay connected and informed to be responsive to

customers. The problem is, most web clients have slow performance and limited

functionality. Scalix Web Access is different. It is an AJAX-based web client

that delivers the look and feel, usability and performance of a desktop

application."

Source: www.scalix.com/communityedition-scalixwebaccess

 

Business recommendation:

------------------------

By exploiting the XXE vulnerability, an unauthenticated attacker can get

read access to the filesystem of the Scalix Mail Server host and thus obtain

sensitive information such as the configuration files, etc.

It is also possible to scan ports of the internal hosts and cause DoS on

the affected host.

 

Vulnerability overview/description:

-----------------------------------

1) XML External Entity Injection

The used XML parser is resolving external XML entities which allows attackers

to read files and send requests to systems on the internal network (e.g port

scanning). The risk of this vulnerability is highly increased by the fact

that it can be exploited by anonymous users without existing user accounts.

2) Reflected XSS

The Scalix mail administration login panel is prone to the reflected cross site

scripting attacks. The vulnerability can be used to include HTML or JavaScript

code to the affected web page. The code is executed in the browser of users

if they visit the manipulated URL.

 

Proof of concept:

-----------------

The proof of concept information has been removed from this advisory as the

vendor failed to respond within 50 days and no patch is available.

1) XML External Entity Injection

The unauthenticated XML External Entity Injection vulnerability can be

exploited by issuing a specially crafted HTTP POST request to the [removed]

handler.

 

2) Reflected XSS

The supplied parameter value in the [removed] script is reflected without

proper validation and executed in the context of the web browser.

 

Vulnerable / tested versions:

-----------------------------

The XXE vulnerability has been verified to exist in the Scalix Web Access

version 11.4.6.12377 and 12.2.0.14697.

The reflected XSS vulnerability has been verified to exist in the Scalix Web Access

version 11.4.6.12377. Version 12 has not been tested against XSS.

 

Vendor contact timeline:

------------------------

2014-09-11: Contacting vendor through info@scalix.com, requesting encryption

keys and attaching responsible disclosure policy

2014-10-13: No response so far, hence trying again by contacting vendor

through info@scalix.com

2014-10-28: No response so far, hence trying again by contacting vendor

through info@scalix.com

2014-10-31: SEC Consult releases security advisory

 

Solution:

---------

None available.

 

Workaround:

-----------

There is no workaround known other than to disable Scalix Web Access until a

thorough security review has been performed and patches are available.

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult

Vienna - Bangkok - Frankfurt/Main - Montreal - Singapore - Vilnius - Zurich

Headquarter:

Mooslackengasse 17, 1190 Vienna, Austria

Phone: +43 1 8903043 0

Fax: +43 1 8903043 15

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

Interested to work with the experts of SEC Consult?

Write to career@sec-consult.com

EOF A. Kolmann / @2014