Vulnerable Systems:
* MIMESweeper For Web version 5
When accessing a URL which is not permitted the user is redirected toan "access denied" page that is vulnerable to XSS. The page does notinput validate / HTML Encode the input and displays the data "as is".
Usually this means that it enables an attacker to inject HTML orJavascript code into users's browsers, and by that bypassing thebrowser DOM restrictions.
This javascript code can perform actions on behalf of the user, stealauthentication cookies, change the appearance of web pages, performphishing ,and generally can do everything to the original page.
The vulnerability can be exploited by just redirecting the client tosome URL that is restricted by MIMESweeper policy and adding the scriptat the end of the URL.
Proof of Concept:
http://SomeBlackListedSite/<script>PAYLOAD</script<http://someblacklistedsite/%3cscript%3ePAYLOAD%3c/script> >
Using the MIMESweeper capabilities of a central gateway to spread malicious scripts to users.
An example attack scenario could be that an attacker will redirect manyusers (by email, posting in the organization portal, etc.) to someblocked URL and an accompanying script that will steal theirauthentication cookies.
Detection of this vulnerability involves injecting some HTML tags /scripts to a blocked URL that will be responded by the MIMESweeper withthe vulnerable page.
Vendor Status:
Clearswift released a patch for this vulnerability, following the initial contact ¬ification.
The patch can be obtained from:
http://www.clearswift.com/support/msw/patch_MswWeb.aspx
termed as "MIMEsweeper for Web 5.1.15 Hotfix"