Beyond Security has discovered a security vulnerability in Zaep AntiSpam 2.0, the vulnerability would allow a remote attacker to use the Zaep program's CGI to cause it to return third party content as if it were its own (A cross-site scripting vulnerability). This vulnerability would allow (depending on the web server's configuration and site sensitivity) to steal cookies, display alternative information (cross-site defacement), or redirect users to malicious sites.
Credit:
The information has been provided by Noam Rathaus.
Once you send an email to an organization protected by Zaep, a URL like: http://vulnerable.zaep/?key=3d981f0f.4056b0a6.23285275 is issued. If you modify the URL to include <script>something</script>, the Zaep will convert the '/' sign to \, making the script clause not work properly. So far, this behavior will "protect" the product from a cross-site scripting vulnerability. However, double encoding the / sign (%252F) will bypass this conversion, and allow you to insert malicious content (JavaScript, HTML, etc) into the page.
Exploit (for all the vulnerabilities):
http://vulnerable.zaep/?key=<script>alert(document.cookie)<%252Fscript>
Vendor response:
The vendor has been very cooperative and has issued a patch to redeem this issue as soon as they were notified of this issue (an its severity).
