CVE-2015-2349 – SuperWebMailer XSS (Cross-site Scripting) Web Security Vulnerabilities


CVE-2015-2349 – SuperWebMailer XSS (Cross-site Scripting) Web Security Vulnerabilities

Exploit Title: CVE-2015-2349 – SuperWebMailer /defaultnewsletter.php” HTMLForm Parameter XSS Web Security Vulnerabilities

Product: SuperWebMailer

Vendor: SuperWebMailer

Vulnerable Versions: 5.*.0.*   4.*.0.*

Tested Version: 5.*.0.*   4.*.0.*

Advisory Publication: March 11, 2015

Latest Update: May 03, 2015

Vulnerability Type: Cross-Site Scripting [CWE-79]

CVE Reference: CVE-2015-2349

Impact CVSS Severity (version 2.0):

CVSS v2 Base Score: 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N) (legend)

Impact Subscore: 2.9

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type: Allows unauthorized modification

Author and Creditor: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

Information Details:

(1) Vendor & Product Description:



Product & Vulnerable Versions:


Vendor URL & Download:

SuperWebMailer can be gained from here,

Product Introduction Overview:

“Super webmail is a web-based PHP Newsletter Software. The web-based PHP Newsletter Software Super webmail is the optimal solution for the implementation of a successful e-mail marketing.”

“To use the online PHP Newsletter Script is your own website / server with PHP 4 or newer, MySQL 3.23 or later and the execution of CronJobs required. Once installed, the online newsletter software Super webmail can be served directly in the browser. The PHP Newsletter Tool Super webmail can therefore be used platform-independent all operating systems such as Windows, Linux, Apple Macintosh, with Internet access worldwide. The PHP Newsletter Script allows you to manage your newsletter recipients including registration and deregistration from the newsletter mailing list by double-opt In, Double Opt-Out and automatic bounce management. Send online your personalized newsletter / e-mails in HTML and Text format with embedded images and attachments immediately in the browser or by CronJob script in the background immediately or at a later. With the integrated tracking function to monitor the success of the newsletter mailing, if thereby the openings of the newsletter and clicks on links in the newsletter graphically evaluated and presented. Put the integrated autoresponder to autorun absence messages or the receipt of e-mails to confirm.”

“It is now included CKEditor 4.4.7. An upgrade to the latest version is recommended as an in CKEditor 4.4.5 Vulnerability found. Super webmail from immediately contains new chart component for the statistics that do not need a flash and are therefore also represented on Apple devices. For the Newsletter tracking statistics is now an easy print version of the charts available that can be printed or saved with PDF printer driver installed in a PDF file. When viewing the e-mails in the mailing lists of the sender of the email is displayed in a column that sent the e-mail to the mailing list. For form creation for the newsletter subscription / cancellation are now available variant”

(2) Vulnerability Details:

SuperWebMailer web application has a computer security bug problem. It can be exploited by XSS attacks. This may allow a remote attacker to create a specially crafted request that would execute arbitrary script code in a user’s browser session within the trust relationship between their browser and the server. 

Several other related products 0-day vulnerabilities have been found by some other bug hunter researchers before. SuperWebMailer has patched some of them. FusionVM Vulnerability Management and Compliance provides sources for the latest info-sec news, tools, and advisories. It has published suggestions, advisories, solutions details related to web application vulnerabilities.

(2.1) The programming code flaw occurs at “&HTMLForm” parameter in “defaultnewsletter.php?” page.

Related Work:


Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust



Amazon Covert Redirect Bug Based on Kindle Daily Post, Omnivoracious, Car Lust

— Amazon Covert Redirect Based on Kindle Daily Post, Omnivoracious, Car Lust & Open Redirect Web Security Vulnerabilities

“, Inc. (/ˈæməzɒn/ or /ˈæməzən/) is an American electronic commerce company with headquarters in Seattle, Washington. It is the largest Internet-based retailer in the United States. started as an online bookstore, but soon diversified, selling DVDs, Blu-rays, CDs, video downloads/streaming, MP3 downloads/streaming, software, video games, electronics, apparel, furniture, food, toys and jewelry. The company also produces consumer electronics—notably, Amazon Kindle e-book readers, Fire tablets, Fire TV and Fire Phone — and is a major provider of cloud computing services. Amazon also sells certain low-end products like USB cables under its inhouse brand AmazonBasics. Amazon has separate retail websites for United States, United Kingdom & Ireland, France, Canada, Germany, The Netherlands, Italy, Spain, Australia, Brazil, Japan, China, India and Mexico. Amazon also offers international shipping to certain other countries for some of its products. In 2011, it had professed an intention to launch its websites in Poland and Sweden.” (Wikipedia)


All,, are websites belonging to Amazon.

“The Kindle Post keeps Kindle customers up-to-date on the latest Kindle news and information and passes along fun reading recommendations, author interviews, and more.”

“Omnivoracious is a blog run by the books editors at We aim to share our passion for the written word through news, reviews, interviews, and more. This is our space to talk books and publishing frankly and we welcome participation through comments. Please visit often or add us to your favorite RSS reader to keep up on the latest information.”

“Car Lust is, very simply, where interesting cars meet irrational emotion. It’s a deeply personal exploration of the hidden gems of the automotive world; a twisted look into a car nut’s mind; and a quirky look at the broader automotive universe – a broader universe that lies beneath the new, the flashy, and the trendy represented in the car magazines.”



Discover and Reporter:
Wang Jing, Division of Mathematical Sciences (MAS), School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore. (@justqdjing)

Vulnerabilities Description:

Amazon has a computer bug security problem. Both Amazon itself and its websites are vulnerable to different kind of attacks. This allows hackers to do phishing attacks to Amazon users.


When a user is redirected from amazon to another site, amazon will check a variable named “token”. Every redirected website will be given one token. This idea is OK. However, all URLs related to the redirected website use the same token. This means if the authenticated site itself has Open Redirect vulnerabilities. Then victims can be redirected to any site from Amazon.


The program code flaw can be attacked without user login. Tests were performed on Microsoft IE (9 9.0.8112.16421) of Windows 7, Mozilla Firefox (37.0.2) & Google Chromium 42.0.2311 (64-bit) of Ubuntu (14.04.2),Apple Safari 6.1.6 of Mac OS X v10.9 Mavericks.

Use a website for the following tests. The website is ““. Suppose this website is malicious,



(1) Kindle Daily Post Open Redirect & Amazon Covert Redirect Based on

(1.1) Kindle Daily Post Open Redirect Security Vulnerability

Vulnerable Links:




(1.2) Amazon Covert Redirect Based on

Vulnerable URL of Amazon:








(2) Omnivoracious Open Redirect & Amazon Covert Redirect Based on

(2.1) Omnivoracious Open Redirect Security Vulnerability

Vulnerable Links:




(2.2) Amazon Covert Redirect Based on

Vulnerable URL:








(3) Car Lust Open Redirect & Amazon Covert Redirect Based on

(3.1) Car Lust Open Redirect Security Vulnerability

Vulnerable Links:




(3.2) Amazon Covert Redirect Based on

Vulnerable URL:








Vulnerabilities Disclosure:

The vulnerabilities were reported to Amazon in 2014. Amazon has patch the vulnerabilities.





Related Articles:

Covert Redirect Mengancam OAuth 2.0 dan OpenID

Covert Redirect Mengancam OAuth 2.0 dan OpenID

Pada Jumat lalu, Wang Jing, seorang mahasiswa program PhD di Nanyang Technological University di Singapura, menerbitkan sebuah laporan yang memjabarkan tentang metode serangan yang disebut dengan “Covert Redirect” dan memperkenalkannya sebagai kerentanan atau vulnerable di OAuth 2.0 dan OpenID.


Cara kerja OAuth 2.0 dan OpenID sendiri adalah dengan memberikan akses bagi pengguna layanan ini untuk mendapatkan domain yang dapat mengakses menggunakan kredensial yang telah ada kepada website lain seperti Facebook, Google, Microsoft atau LinkedIn. Dengan akses yang didapatkan pengguna layanan ini dapat menghapus sebuah akun dan menggantinya dengan akun yang baru.

Keep calm e fate attenzione: OpenID e OAuth sono vulnerabili

Keep calm e fate attenzione: OpenID e OAuth sono vulnerabili

Solo un paio di settimane dopo il preoccupante bug conosciuto come Heartbleed, un utente di Internet come me e voi ha scoperto una nuova e a quanto pare diffusa vulnerabilità, anche questa non facile da  risolvere. Si tratta del bug “Covert redirection”, scoperto di recente da Wang Jing, uno dottorando in matematica presso la Nanyang Technological University di Singapore. Il problema è stato riscontrato all’interno dei popolari protocolli Internet OpenID e OAuth. Il primo protocollo viene utilizzato quando si cerca di accedere a un sito web usando le credeziali già create per i servizi di Google, Facebook o LinkedIn. Il secondo viene utilizzato quando si autorizza un sito web, una app o alcuni servizi con Facebook, Google +, ecc… senza rivelare di fatto la password e le credenziali a siti esterni. Questi due metodi vengono spesso usati insieme e, a quanto pare, potrebbero permettere ai cybercriminali di mettere mano sulle informazioni degli utenti.

Unified Communications, Globus, Stecker, Telefon

La minaccia

Su Threatpost sono disponibili maggiori informazioni tecniche sul bug e un link alla ricerca originale, in inglese. Ma andiamo la sodo e osserviamo come funziona un possibile attacco e quali sarebbero le sue conseguenze. In primo luogo, affinché si verifichi il problema, un utente dovrebbe visitare un sito di phishing dannoso dotato del tipico “Accedi con Facebook”. Il sito potrebbe assomigliare del tutto a un servizio popolare esterno, fingendosi e proponendosi come un nuovo servizio. Poi il vero Facebook, Google +  o LinkedIn lancia una popup che invita l’utente a inserire le credenziali di login e la password per autorizzare i servizi appena menzionati (e in teoria “rispettabili”) e permettere all’utente di accedere. Nell’ultima fase, l’autorizzazione a usare il profilo viene inviata a un sito diverso (di phishing), “redirezionando” le informazioni in forma impropria.

Alvorlig feil i utbredt innloggingssystem

Alvorlig feil i utbredt innloggingssystem

Benyttes av Facebook, Google, Yahoo, LinkedIn, Microsoft og mange flere.

Wang Jing, en doktorgradstudent ved Nanyang Technological University i Singapore, har oppdaget en alvorlig sårbarhet knyttet til autentiseringssystemene OAuth 2.0 og OpenID. Sårbarheten, som er av typen «covert redirect», dreier seg om at en applikasjon tar en parameter og omdirigerer en bruker til parameteren uten tilstrekkelig validering. Ifølge Jing skyldes dette ofte at nettsteder har for stor tillit til sine partnere.


– Nettstedet sjekker domenenavnet mot et «token» (tildelt til partneren som et middel for verifisering) i den omdirigerte URL-en. Dersom paret er i godkjent-listen i nettstedets database, vil det tillate omdirigeringen. Men dersom URL-en tilhører et domene som har en «open redirect»-sårbarhet, kan brukerne omdirigeres fra nettstedet til et sårbart nettsted og deretter til en ondsinnet nettsted, skriver Jing.