Nikolas Sotiriu has reported some vulnerabilities in Websense Email Security and Personal Email Manager, which can be exploited by malicious people to cause a DoS (Denial of Service) and conduct cross-site scripting and script insertion attacks.

1) An error within the handling of HTTP requests within the Web Administrator frontend (STEMWADM.EXE) can be exploited to crash the service by sending HTTP GET requests to the port 8181 and then closing the socket.

Note: By default, the service is restarted.

2) Input passed to the "FileName", "IsolatedMessageID", "ServerName", "Dictionary", "Scoring", and "MessagePart" parameters in web/msgList/viewmsg/actions/msgAnalyse.asp, to the "Queue", "FileName", "IsolatedMessageID", and "ServerName" parameters in web/msgList/viewmsg/actions/msgForwardToRiskFilter.asp and web/msgList/viewmsg/viewHeaders.asp is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) Input passed via the email subject is not properly sanitised before being displayed. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site when a specially crafted email is shown in the Web Administrator frontend.

The vulnerabilities are reported in Websense Email Security version 7.1 and Personal Email Manager version 7.1. Other versions may also be affected.

Solution
Apply Hotfix 4 for Websense Email Security v7.1 and Personal Email Manager v7.1.
Further details available in Customer Area

Provided and/or discovered by
Nikolas Sotiriu

Changelog
Further details available in Customer Area

Original Advisory
Websense:
http://kb.websense.com/display/4/kb/article.aspx?aid=4786

Nikolas Sotiriu:
http://sotiriu.de/adv/NSOADV-2009-002.txt
http://sotiriu.de/adv/NSOADV-2009-003.txt

Deep Links
Links available in Customer Area