Back to Knowledge Base
Jul 06, 2015

Ajax WebMail 8.X Security Patch (CVE-2015-5379)

Axigen's WebMail Ajax interface implements a view attachment function that executes the javascript code which is included in email HTML attachments.


This allows a malicious user to craft email messages that could expose an Axigen Ajax WebMail user to cross site scripting or other attacks that rely on arbitrary javascript code running within a trusted domain.


Axigen versions starting with 9.0 address this issue by limiting the attachment types for which the in-browser preview is available.


For Axigen 8.x versions, we strongly recommend you to download & apply the patch below.

Solution

Axigen v8.0 (without IM)

Download Patch

Axigen v8.0 (with IM)

Download Patch

Axigen v8.x (without IM)

Download Patch

Axigen v8.x (with IM)

Download Patch

Vulnerability test

  1. create a file called test.html with the following content: <script>alert('Test for AXI-CVE-20150601')</script>
  2. create a new email, attach test.html and send it to an Axigen account
  3. log in with the recipient account and open it in the Ajax WebMail interface
  4. in the preview pane, locate test.html attachment and open it
    1. if a new tab is opened and a pop-up screen is displayed with the text you have used for the alert action (from test.html), your Axigen server is vulnerable
    2. if a new tab is opened and immediately closed followed by downloading locally test.html file, your Axigen server contains is successfully patched.

Patch Installation

  1. download and unzip the patch
  2. replace the ${AXIGEN_WORK_DIR}/webmail/default/private/ajax/actions.hsp file with the one downloaded from above, keeping the ownership and its file attributes.
    • SIZE: 9716
    • SHA256SUM: 6f43da6262465d1ebbc3bdb4c00d344addd69dda91e94d30f570716da45cfd5a
  3. trigger a restart / configuration reload
    • Linux: trigger configuration reload (usually done by running 'service axigen reload')
    • Windows: restart the Axigen service.
OS: LinuxWindows
security patch CVE vulnerability
Quick link: https://www.axigen.com/kb/show/341 Copy link

Axigen is a premium, scalable, all-in-one Windows & Linux mail server software. A free mail server version is available for personal and lab use, along with the business mail server and the MSP mail server, for Managed Service Providers, which also include features like personal organizer, groupware, AntiVirus, AntiSpam, or advanced security policies. The carrier-class ISP mail server solution completes the Axigen offering and comes with clustering support, delegated administration, extensive APIs, as well as a cloud-native, Kubernetes based deployment option.

Axigen uses cookies. By using our services, you’re agreeing to our Cookie Policy. GOT IT