NetSaro Enterprise Messenger Server Plaintext Password Storage Vulnerability

Solutionary ID: SERT-VDN-1011

Risk Rating: Medium

CVE ID: CVE-2011-3693

Product: Enterprise Messenger Server

Application Vendor: SEM Software

Vendor URL:

Date discovered: 06/30/2011

Discovered by: Rob Kraus, Jose Hernandez, and the Solutionary Security Engineering Research Team (SERT)

Vendor notification date: 07/01/2011

Vendor response date: No Response

Vendor acknowledgment date: No Response

Public disclosure date: 11/15/2011

Type of vulnerability: Cross-Site Scripting (XSS) - Reflected

Exploit Vectors: Local and Remote

Vulnerability Description: The applications web interface contains an injection point which allows for execution of Cross-site Scripting (XSS) attacks. Arbitrary client side code such as JavaScript can be included into certain parameters throughout the web application. The hardware dongle must be inserted in order to leverage the vulnerability. The following parameters and web pages have been tested and verified; however, it is possible additional views and parameters within the application may be vulnerable:
Licenses.html (BoxSerial parameter)

Tested on: Windows XP SP3

Affected software versions: WebAdmin version 3.30 and 4.30 (previous versions may also be vulnerable)

Impact: Successful attacks could disclose sensitive information about the user, session, and application to the attacker, resulting in a loss of confidentiality. Using XSS, an attacker could insert malicious code into a web page and entice naïve users to execute the malicious code.

Fixed in: Pending - The vendor has logged the issue and anticipates a patch to be available in Autumn 2011

Remediation guidelines: Restrict access to internal network segments and monitor vendor notifications for application updates that may address and fix the issues identified. Remove the hardware dongle from the affected system when not needed.