lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY9-DAV28Dd3OJXsNQ000643a1@hotmail.com>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Surgemail - Multiple Vulnerabilities

------------------------------------------------------------
   - EXPL-A-2004-002 exploitlabs.com Advisory 028 -
------------------------------------------------------------
                            - Surgemail -



OVERVIEW
========
"SurgeMail is a next generation Mail Server -
Combining features, performance and ease of
use into a single integrated product.
Ideal on Windows NT/2K, or Unix (Linux, Solaris etc)
 and supports all all the standard protocols
IMAP, POP3, SMTP, SSL, ESMTP."

Surgmail suffers from two basic remote vulnerabilities...

1. Information Disclosure, by providing a non existant filename, the STDERR
is rendered to the user, disclosing physical directory structure.

2. XSS ( cross site scripting ) via the login form, and in particular
the "username" field. This allows for credential theft via externaly
hosted malicous script. This affects both HTTP and HTTPS access vectors.



AFFECTED PRODUCTS
=================
Surgemail ( Win32 and *nix through versions 1.9 )

WebMail v3.1d Copyright ? NetWin Ltd

http://netwinsite.com/index.html
http://netwinsite.com/overviews.htm
http://netwinsite.com/server/email_server_software.htm


DETAILS
=======
1. Information Disclosure
Surge mail's web based interface reveals physical
directory structure by requesting a non-existant
(404) request.


http://x.x.x.x/[non-existant request]

http://x.x.x.x:7080/scripts/
"Could not create process D:\surgemail/scripts/ Access Denied
Is the url correct, check for a log file in the scripts directory
 and run the process in a shell window (D:\surgemail)"

http://x.x.x.x:7080/scripts/err.txt
"Could not create process D:\surgemail/scripts/err.txt File Not Found
Is the url correct, check for a log file in the scripts directory
 and run the process in a shell window (D:\surgemail)"

http://x.x.x.x/scripts/err.txt
CGI did not respond correctly, it probably exited abnormally or the file
may not exist or have +x access (/usr/local/surgemail/scripts) (err.txt) ()



2. XSS ( cross site scripting )

 The login form username field is vunerable to XSS

================ snip ========================

http://x.x.x.x:7080/
http://x.x.x.x:7080/<script>alert('Vulnerable')</script>
http://x.x.x.x:7080/<script>alert(document.cookie)</script>

================ snip ========================



SOLUTION
========
Vendor contacted May 16, 2003 support-surgemail@...winsite.com
Vendor acknowlegement recieved May 17, 2003

Vendor Patch / Version 2.0c released June 2, 2004
and may be obtained at
ftp://ftp.netwinsite.com/pub/surgemail/beta
http://www.netwinsite.com/surgemail/help/updates.htm


PROOF OF CONCEPT
================
( see DETAILS )


CREDITS
=======
This vulnerability was discovered and researched by

Donnie Werner of exploitlabs
mail: morning_wood@...loitlabs.com
--
web: http://exploitlabs.com
web: http://zone-h.org

ref: http://zone-h.org/en/advisories/read/id=4714/
ref: http://exploitlabs.com/files/advisories/EXPL-A-2004-002-surgmail.txt


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ