[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [SIG^2 G-TEC] SurgeMail Webmail Attachment Upload and XSS
From:       <chewkeong () security ! org ! sg>
Date:       2005-03-23 11:21:11
Message-ID: 20050323112111.7236.qmail () www ! securityfocus ! com
[Download RAW message or body]



SIG^2 Vulnerability Research Advisory

SurgeMail Webmail Attachment Upload and XSS Vulnerabilities

by Tan Chew Keong
Release Date: 23 Mar 2005

ADVISORY URL
http://www.security.org.sg/vuln/surgemail22g3.html


SUMMARY

SurgeMail (http://netwinsite.com/surgemail/) is a next generation Mail Server - \
Combining features, performance and ease of use into a single integrated product. \
Ideal on Windows NT/2K, or UNIX (Linux, Solaris etc) and supports all the standard \
protocols IMAP, POP3, SMTP, SSL, ESMTP.

A vulnerability was found in SurgeMail's Webmail file attachment upload feature. This \
vulnerability may be exploited by a malicious Webmail user to upload files to certain \
locations on the server, obtain file listings of certain directories, and/or send \
certain files on the server to him/herself. Two XSS vulnerabilities were also found.  \


TESTED SYSTEM

SurgeMail Version 2.2g3 Windows on English Win2K SP4.

 
DETAILS

This advisory document two Webmail vulnerabilities found in SurgeMail server. The \
first is a file attachment upload vulnerability. This vulnerability may be exploited \
by a malicious Webmail user to upload files to certain locations on the server, \
obtain file listings of certain directories, and/or send certain files on the server \
to him/herself. The second is a Cross-Site Scripting (XSS) vulnerability.

1. File Attachment Upload Vulnerability.
 
SurgeMail allows a logon user to attach files when composing a new email via the \
Webmail interface. Uploaded file attachments are temporarily stored in the \
c:\surgemail\web_work\u_xx\xxxx@hostname@127_0_0_1\attach\SomeRandomNumber\ \
directory. In particular, the value of SomeRandomNumber is part of this POST request \
(attach_id parameter) and is under the attacker's control. The server will create the \
directory "SomeRandomNumber" if it does not exist. By using directory traversal \
characters, it is possible to cause the uploaded files to be written to other \
directories.

2. Cross-Site Scripting (XSS) Vulnerabilities.

A user is allowed to configure an email auto-reply message using the Webmail \
interface. This auto-reply message consist of a message subject and a message header. \
It is possible to inject javascript in both these fields. If the Webmail \
administrator views this user's auto-reply message settings, the injected javascript \
will be executed on his browser. This may be exploited by a malicious user to steal \
the Webmail administrator's cookies or to redirect the administrator's browser to \
malicious websites.

Another XSS vulnerability occurs when webmail.exe is displaying an error message in \
response to an invalid value in the page parameter. The error message also reveals \
the installation path.


PATCH

Upgrade to the latest version of SurgeMail (Version 3.0c2 or later).

 
DISCLOSURE TIMELINE

18 Mar 05 - Vulnerability Discovered.
19 Mar 05 - Vulnerability Verification.
19 Mar 05 - Initial Vendor Notification.
22 Mar 05 - Vendor replied with fixed version.
23 Mar 05 - Public Release.
 

GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html 

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic