During the conduct of a threat assessment for a major Fortune 500 company, DeepCode analyzed web-based targets hosted on a Hong-Kong based company named CommuniLink. Customers can manage back-office services such as mail and spam configuration via a control panel called CLink Office, which is made by CommuniLink itself. This application is vulnerable to at least one Cross-Site Scripting (XSS) via parameter injection. As of 18 January 2020, a simple Google search returned 2,500 web servers using the application, mostly in Hong Kong.
The control panel has multiple issues. The first being that it uses a vulnerable version of the Horde webmail client. Despite commenting out the link on the main page, the developer left the actual web application on the clients’ hosts.
From there, an adversary can access the Horde login page via the
/horde/imp/login.php link, which is opened to various vulnerabilities, including Local File Inclusion (LFI) and Remote Code Execution (RCE) vulnerabilities.
Doing so results in various links within the page to be modified, including the link tag:
[gist id=”707aa537a707c558700b44ce3b6072d3″ file=”injected.html”]
Most control panels nowadays are leveraging frameworks and libraries that are filtering inputs from clients, however, this specific case shows that custom-made scripts are still out there. These should be avoided by clients seeking hosting services and request hosting companies to employ validated and verified software. CommuniLink was first contacted on 7 Jan 2020 and a second time on 13 Jan 2020. HKCERT was contacted on 2 Mar 2020. No answer was received and a such this vulnerability is disclosed after 90 days of discovery.