Ajax WebMail 8.x security patch (CVE-2015-5379)

Axigen's WebMail Ajax interface implements a view attachment function that executes the javascript code which is included in email HTML attachments.


This allows a malicious user to craft email messages that could expose an Axigen Ajax WebMail user to cross site scripting or other attacks that rely on arbitrary javascript code running within a trusted domain.


Axigen versions starting with 9.0 address this issue by limiting the attachment types for which the in-browser preview is available.


For Axigen 8.x versions, we strongly recommend you to download & apply the patch below.

Solution

Axigen v8.0 (without IM)

Download Patch

Axigen v8.0 (with IM)

Download Patch

Axigen v8.x (without IM)

Download Patch

Axigen v8.x (with IM)

Download Patch

Vulnerability test

  1. create a file called test.html with the following content:
  2. create a new email, attach test.html and send it to an Axigen account
  3. log in with the recipient account and open it in the Ajax WebMail interface
  4. in the preview pane, locate test.html attachment and open it
    1. if a new tab is opened and a pop-up screen is displayed with the text you have used for the alert action (from test.html), your Axigen server is vulnerable
    2. if a new tab is opened and immediately closed followed by downloading locally test.html file, your Axigen server contains is successfully patched.

Patch Installation

  1. download and unzip the patch
  2. replace the ${AXIGEN_WORK_DIR}/webmail/default/private/ajax/actions.hsp file with the one downloaded from above, keeping the ownership and its file attributes.
    • SIZE: 9716
    • SHA256SUM: 6f43da6262465d1ebbc3bdb4c00d344addd69dda91e94d30f570716da45cfd5a
  3. trigger a restart / configuration reload
    • Linux: trigger configuration reload (usually done by running 'service axigen reload')
    • Windows: restart the Axigen service.
OS: LinuxWindows
Releases: Axigen 8..xAxigen 8.1.xAxigen 8.2.x