CVE-2022-41676 Raiden MAILD Mail Server website mail field has insufficient filtering for user input
The issue is reported in the 'Website Mail Field' plugin that enables users to send email from the website. Users do not have to change any settings to be vulnerable. An attacker can send an email containing malicious JavaScript code to the recipient. The malicious code will be executed in the context of the website with high privilege level and can do anything an attacker can do. This can be XSS or any other malicious code injection. In this example, we are using a malicious script that prints the current time of the server on the attacker’s website. The attacker can use the time of the target server to find out the time where the server is accessible and send a time-based attack.
Steps to test nettime
You can run the script to test if you are vulnerable.
1. Create a new website and create a page that contains an iframe with the content of the target website's header (below).
2. Inject the malicious JavaScript code into the iframe (see code below)
3. Send yourself an email with the subject 'Test This Works'. The message body should contain your malicious code via JavaScript injection.
4. Open the email in Gmail, Google Drive, or another webmail client and check if you have been sent an email containing your malicious code.
Finding a vulnerable website
The first step is to find a vulnerable website. There are some ways of doing this:
1) Google the plugin name and any parameter for the plugin that you think could be used as an attack vector.
2) Search for it on any public website like GitHub.
3) If the plugin has a website, search for it on that website.
4) Search for the vulnerability on vulnerability-lab or Google search engine and then use one of the methods above to find out if it exists and what type of impact it can have.
Time based attack
Time-based attacks are not just limited to a specific time. They can also be time-delayed, or time-triggered. This means that the attacker can wait until a certain time of the day and then initiate a malicious action in order to break through security measures by making the target vulnerable at that moment. For example, if the target is using HTTPS, an attacker can create a man-in-the-middle attack with different IPs. Then, when the target is vulnerable to traffic from those IPs, it will happen at that exact moment. Another way to do this is by waiting for days and initiating an attack on a specific day.
Timeline
Published on: 11/29/2022 04:15:00 UTC