[NT] Path Disclosure Vulnerability found in MailMax/Web

• Previous message: support@securiteam.com: "[NT] Root Directory Revealing Vulnerability found in 12Planet Chat Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 18 Apr 2003 12:00:29 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Path Disclosure Vulnerability found in MailMax/Web
------------------------------------------------------------------------

SUMMARY

"Our IMAP based MailMax/WEB 4.1 has a crisp new look and now allows you to
send and retrieve your mail three times faster when utilized with MailMax
5.0. Tightly integrated with the MailMax 5 email server, this add-on
product provides a seamless solution to your web-based email needs."

The problem is an information leak in the MailMax/WEB interface that
allows remote attackers to determine where the program has been installed.

DETAILS

Vulnerable systems:
 * MailMAX/WEB version 4.1

By looking into an HTTP transaction being transmitted to the server, it is
possible to know the true location to where the program was installed.
This is because the cookie stores the path of the installation directory.

The following transcript demonstrates the problem:
----------------------------- [Transcript] -----------------------------
GET /mailmaxweb/mmweb_images/intro_splash.jpg HTTP/1.1
Accept: */*
Referer: http://>/mailmaxweb/mmweb.dll?default
Accept-Language: da
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0b2; Windows NT 5.0)
Host: win2k-serv
Connection: Keep-Alive
Cookie: BOXLOADED=NO; MYDIR=c:\inetpub\wwwroot\mailmaxweb;

----------------------------- [Transcript] -----------------------------

Disclosure timeline:
29/03/2003 Found the Vulnerability, and made an analysis.
29/03/2003 Reported to Vendor (sales@smartmax.com, features@smartmax.com,
support@smartmax.com).
27/03/2003 Vendor reply, they now know of the vulnerabilities.
27/03/2003 Fix made public.
11/04/2003 Public Disclosure.

ADDITIONAL INFORMATION

The vulnerability was discovered and reported by
<mailto:der@infowarfare.dk> Dennis Rand.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: support@securiteam.com: "[NT] Root Directory Revealing Vulnerability found in 12Planet Chat Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]