[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: [SIG^2 G-TEC] SurgeMail Webmail Attachment Upload and XSS
From: <chewkeong () security ! org ! sg>
Date: 2005-03-23 11:21:11
Message-ID: 20050323112111.7236.qmail () www ! securityfocus ! com
[Download RAW message or body]
SIG^2 Vulnerability Research Advisory
SurgeMail Webmail Attachment Upload and XSS Vulnerabilities
by Tan Chew Keong
Release Date: 23 Mar 2005
ADVISORY URL
http://www.security.org.sg/vuln/surgemail22g3.html
SUMMARY
SurgeMail (http://netwinsite.com/surgemail/) is a next generation Mail Server - \
Combining features, performance and ease of use into a single integrated product. \
Ideal on Windows NT/2K, or UNIX (Linux, Solaris etc) and supports all the standard \
protocols IMAP, POP3, SMTP, SSL, ESMTP.
A vulnerability was found in SurgeMail's Webmail file attachment upload feature. This \
vulnerability may be exploited by a malicious Webmail user to upload files to certain \
locations on the server, obtain file listings of certain directories, and/or send \
certain files on the server to him/herself. Two XSS vulnerabilities were also found. \
TESTED SYSTEM
SurgeMail Version 2.2g3 Windows on English Win2K SP4.
DETAILS
This advisory document two Webmail vulnerabilities found in SurgeMail server. The \
first is a file attachment upload vulnerability. This vulnerability may be exploited \
by a malicious Webmail user to upload files to certain locations on the server, \
obtain file listings of certain directories, and/or send certain files on the server \
to him/herself. The second is a Cross-Site Scripting (XSS) vulnerability.
1. File Attachment Upload Vulnerability.
SurgeMail allows a logon user to attach files when composing a new email via the \
Webmail interface. Uploaded file attachments are temporarily stored in the \
c:\surgemail\web_work\u_xx\xxxx@hostname@127_0_0_1\attach\SomeRandomNumber\ \
directory. In particular, the value of SomeRandomNumber is part of this POST request \
(attach_id parameter) and is under the attacker's control. The server will create the \
directory "SomeRandomNumber" if it does not exist. By using directory traversal \
characters, it is possible to cause the uploaded files to be written to other \
directories.
2. Cross-Site Scripting (XSS) Vulnerabilities.
A user is allowed to configure an email auto-reply message using the Webmail \
interface. This auto-reply message consist of a message subject and a message header. \
It is possible to inject javascript in both these fields. If the Webmail \
administrator views this user's auto-reply message settings, the injected javascript \
will be executed on his browser. This may be exploited by a malicious user to steal \
the Webmail administrator's cookies or to redirect the administrator's browser to \
malicious websites.
Another XSS vulnerability occurs when webmail.exe is displaying an error message in \
response to an invalid value in the page parameter. The error message also reveals \
the installation path.
PATCH
Upgrade to the latest version of SurgeMail (Version 3.0c2 or later).
DISCLOSURE TIMELINE
18 Mar 05 - Vulnerability Discovered.
19 Mar 05 - Vulnerability Verification.
19 Mar 05 - Initial Vendor Notification.
22 Mar 05 - Vendor replied with fixed version.
23 Mar 05 - Public Release.
GREETINGS
All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html
"IT Security...the Gathering. By enthusiasts for enthusiasts."
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic