[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Multiple vulnerabilities in Argosoft Mail Server 1.8.7.6
From:       ShineShadow <ss_contacts () hotmail ! com>
Date:       2005-04-22 15:17:01
Message-ID: 20050422151701.9484.qmail () www ! securityfocus ! com
[Download RAW message or body]



ShineShadow Security Report  22042005-04

TITLE: Multiple vulnerabilities in Argosoft Mail Server Pro 1.8.7.6.

BACKGROUND

ArGoSoft Mail Server is fully functional SMTP/POP3/Finger (Pro version also has IMAP \
module) server for Windows 95/98/NT/2000, which will let you turn your computer into \
the email system. It's very compact, takes about 1-5 Mb of disk space (depending on \
the version), does not have any specific memory requirements, and what is the most \
                important - it's very easy to use. 
Source: www.argosoft.com

VULNERABLE PRODUCTS

Argosoft Mail Server Pro 1.8.7.6 (maybe other)

DETAILS

1. Multiple cross-site scripting (XSS) vulnerabilities.

Description: 
Remote user can execute cross-site scripting (XSS) attack. It possible because some \
HTML tags in email messages are not filtered (for example, “src” parameter in IMG \
tag). An attacker can send to the victim special crafted email message. If victim \
will view this message using web interface then attackers Java code will be executed \
in web browser of the victim. Also many XSS vulnerabilities exists in input boxes of \
webmail pages (for example, User settings,Address book and other).

2. Copying or moving files with arbitrary content and .eml extension to arbitrary \
locations on the server.

Vulnerable script: delete

Description: 
Remote user, who has account on Argosoft Mail Server, can copy or move own .eml files \
with arbitrary content (which, for example, could be uploading as attachment) to \
arbitrary locations on the server. This is directory traversal vulnerability. The new \
name of moving/copying .eml file will be random-generated by script. 

3. Deleting own account on the mail server.

Vulnerable script: folderdelete

Description:
Remote user, who has account on Argosoft Mail Server, can delete his home directory \
and account on the mail server. This is input validation error in “Folder” parameter.

4. Creating arbitrary user accounts on mail server.

Vulnerable script: addnew

Description:
Remote user can create user account on mail server even if option “Allow Creation of \
Accounts From the Web Interface” has been disabled. It possible, because script does \
not require authentication. An attacker can send POST query to vulnerable script to \
create valid user account on remote mail server. After that it possible to use other \
vulnerabilities described in this report to get full control of Argosoft Mail Server \
or remote system.

5. Viewing arbitrary files on mail server.

Vulnerable script: msg

Description:
Remote user, who has account on Argosoft Mail Server, can view arbitrary files on \
mail server. This is directory traversal vulnerability in “UIDL” parameter. An \
attacker can view messages of other users, configuration files or other text files on \
remote mail server.

6. Unfixed critical vulnerabilities.

Description:
Argosoft Mail Server 1.8.7.6 has unfixed known critical vulnerabilities. SIG^2 \
(www.security.org.sg) discovered some directory traversal vulnerabilities in Argosoft \
Mail Server 1.8.7.3 (http://www.security.org.sg/vuln/argosoftmail1873.html). The \
following vulnerabilities are NOT been fixed by vendor and exists in the last version \
                of the product (Argosoft Mail Server 1.8.7.6):
- Directory traversal in email attachment filename allows file upload to arbitrary \
                directories
- Directory traversal in _msgatt.rec allows any arbitrary files on the server to be \
sent as attachment


EXPLOITATION

WebMail must be running on Argosoft Mail Server.

WORKAROUND

Disable WebMail of Argosoft Mail Server.

VENDOR STATUS

Vendor contacted: 24 January 2005
Contact has been interrupted by vendor. Details has not been discussed during \
contact.


SUMMARY

An attacker who successfully exploited vulnerabilities described in this report could \
take complete control of a Argosoft Mail Server 1.8.7.x or an affected remote system. \
I’m not advice to use this product, you must disable Webmail service of Argosoft Mail \
Server.   
CREDITS

ShineShadow, undependent computer security expert. 
To get more information, please contact me by e-mail.

22.04.2005
ShineShadow,
ss_contacts@hotmail.com


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic