lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20030708182514.23525.qmail@www.securityfocus.com>
Date: 8 Jul 2003 18:25:14 -0000
From: tizio caio <G00db0y@...e-h.org>
To: bugtraq@...urityfocus.com
Subject: ZH2003-1SA (security advisory): Rockliffe Mailsite Express - mail
    attachments retrievable without proper authentication




ZH2003-1SA (security advisory): Rockliffe Mailsite Express - mail 
attachments retrievable without proper authentication.
Published: 08/07/2003

Released: 08/07/2003

Name: Rockliffe Mailsite Express - mail attachments retrievable without 
proper authentication

Affected Systems: Mailsite 5.3.4 (and older versions?)

Issue: Remote attackers can view all attachments

Author: G00db0y@...e-h.org


Description

***********

Zone-h Security Team has discovered a serious security flaw in 
Rockliffe's MailSite Management Agent (version 5.3.4). This server allows 
remote users to access their POP3 accounts and read their mail over HTTP. 
The service usually listens on TCP port 80. The system allows an attacker 
to retrieve all attachments from it granting access to sensible 
information .

Details

*******

Many sites (you can find them using google) register all accesses to 
their websites. This information is collected in their stats page. It's 
very easy to find them (example www.site.com/stats/). From that point, an 
attacker could retrieve without authentication any attachments on every 
email that is online and not deleted from the mail server.

From the stats page it's possible to see every access on every page on 
the webserver so also in the MailSite structure. When a user visualizes 
the mail attachements, the stat package is generating a link like this 
one: 
http://www.site.com/express/cache/DC44AEECB46AE0C029E85BBD43089833/4118200
66/attachment

The default installation path of Mailsite Managements Agent is /express. 
Every attachment is stored in the sub directory called cache. Access path 
to this directory is granted through a randomly generated url so it's 
impossible to retrieve any attachments from it. Connecting instead from 
the link contained in the stat package page, it is possible to retrieve 
directly any attachment.

Solution:

*********

The vendor has been contacted and a patch is not yet produced

Suggestions:

************

Protect your web statistics page with a login procedure. Upgrade your 
current version of Mail Site Express when the vendor will release the 
patch to fix this problem.

G00db0y - www.zone-h.org admin

Original advisory: http://www.zone-h.org/en/advisories/read/id=2643/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ