[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: Multiple vulnerabilities in Argosoft Mail Server 1.8.7.6
From: ShineShadow <ss_contacts () hotmail ! com>
Date: 2005-04-22 15:17:01
Message-ID: 20050422151701.9484.qmail () www ! securityfocus ! com
[Download RAW message or body]
ShineShadow Security Report 22042005-04
TITLE: Multiple vulnerabilities in Argosoft Mail Server Pro 1.8.7.6.
BACKGROUND
ArGoSoft Mail Server is fully functional SMTP/POP3/Finger (Pro version also has IMAP \
module) server for Windows 95/98/NT/2000, which will let you turn your computer into \
the email system. It's very compact, takes about 1-5 Mb of disk space (depending on \
the version), does not have any specific memory requirements, and what is the most \
important - it's very easy to use.
Source: www.argosoft.com
VULNERABLE PRODUCTS
Argosoft Mail Server Pro 1.8.7.6 (maybe other)
DETAILS
1. Multiple cross-site scripting (XSS) vulnerabilities.
Description:
Remote user can execute cross-site scripting (XSS) attack. It possible because some \
HTML tags in email messages are not filtered (for example, “src” parameter in IMG \
tag). An attacker can send to the victim special crafted email message. If victim \
will view this message using web interface then attackers Java code will be executed \
in web browser of the victim. Also many XSS vulnerabilities exists in input boxes of \
webmail pages (for example, User settings,Address book and other).
2. Copying or moving files with arbitrary content and .eml extension to arbitrary \
locations on the server.
Vulnerable script: delete
Description:
Remote user, who has account on Argosoft Mail Server, can copy or move own .eml files \
with arbitrary content (which, for example, could be uploading as attachment) to \
arbitrary locations on the server. This is directory traversal vulnerability. The new \
name of moving/copying .eml file will be random-generated by script.
3. Deleting own account on the mail server.
Vulnerable script: folderdelete
Description:
Remote user, who has account on Argosoft Mail Server, can delete his home directory \
and account on the mail server. This is input validation error in “Folder” parameter.
4. Creating arbitrary user accounts on mail server.
Vulnerable script: addnew
Description:
Remote user can create user account on mail server even if option “Allow Creation of \
Accounts From the Web Interface” has been disabled. It possible, because script does \
not require authentication. An attacker can send POST query to vulnerable script to \
create valid user account on remote mail server. After that it possible to use other \
vulnerabilities described in this report to get full control of Argosoft Mail Server \
or remote system.
5. Viewing arbitrary files on mail server.
Vulnerable script: msg
Description:
Remote user, who has account on Argosoft Mail Server, can view arbitrary files on \
mail server. This is directory traversal vulnerability in “UIDL” parameter. An \
attacker can view messages of other users, configuration files or other text files on \
remote mail server.
6. Unfixed critical vulnerabilities.
Description:
Argosoft Mail Server 1.8.7.6 has unfixed known critical vulnerabilities. SIG^2 \
(www.security.org.sg) discovered some directory traversal vulnerabilities in Argosoft \
Mail Server 1.8.7.3 (http://www.security.org.sg/vuln/argosoftmail1873.html). The \
following vulnerabilities are NOT been fixed by vendor and exists in the last version \
of the product (Argosoft Mail Server 1.8.7.6):
- Directory traversal in email attachment filename allows file upload to arbitrary \
directories
- Directory traversal in _msgatt.rec allows any arbitrary files on the server to be \
sent as attachment
EXPLOITATION
WebMail must be running on Argosoft Mail Server.
WORKAROUND
Disable WebMail of Argosoft Mail Server.
VENDOR STATUS
Vendor contacted: 24 January 2005
Contact has been interrupted by vendor. Details has not been discussed during \
contact.
SUMMARY
An attacker who successfully exploited vulnerabilities described in this report could \
take complete control of a Argosoft Mail Server 1.8.7.x or an affected remote system. \
I’m not advice to use this product, you must disable Webmail service of Argosoft Mail \
Server.
CREDITS
ShineShadow, undependent computer security expert.
To get more information, please contact me by e-mail.
22.04.2005
ShineShadow,
ss_contacts@hotmail.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic