[NT] Merak Webmail Server Multiple Vulnerabilities

From: SecuriTeam (support_at_securiteam.com)
Date: 08/19/04

  • Next message: SecuriTeam: "[UNIX] PHP-FUSION Various Vulnerabilities" 
    To: list@securiteam.com
Date: 19 Aug 2004 11:32:20 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Merak Webmail Server Multiple Vulnerabilities
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.merakmailserver.com/Products/Webmail_Server_Software/> Merak
    Webmail Server Software "provides users with the ability to access their
    email via a browser using an 'Outlook 2002 or 2003' style interface as
    well as many others, or via their Wireless WAP-enabled device". The Merak
    Webmail Server has been found to contain multiple vulnerabilities ranging
    from Cross-Site Scripting issues, Full path disclosure, exposure of PHP
    files, to SQL-Injections.

    DETAILS

    Vulnerable Systems:
     * Merak Mail Server version 7.5.1 and prior

    Immune Systems:
     * Merak Mail Server version 7.5.2 or newer

    Cross-Site Scripting:
    There are many input validation holes in the Merak Webmail server. An
    attacker can perform using these holes an XSS attack.

    Examples:
    /address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=">[XSS]&cserver=&ext=
    /address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=">[XSS]&ext=
    /address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=&ext=">[XSS]
    /address.html?id=[id]&sort=&selectsort=&global=">[XSS]&showgroups=&showlite=&category=&cserver=&ext=
    /address.html?id=[id]&sort=&selectsort=&global=&showgroups=">[XSS]&showlite=&category=&cserver=&ext=
    /address.html?id=[id]&sort=&selectsort=&global=&showgroups=&showlite=">[XSS]&category=&cserver=&ext=
    /settings.html?autoresponder=1&id=[id]&spage=">[XSS]
    /settings.html?autoresponder=">[XSS]&id=[id]&spage=0
    /readmail.html?id=[id]&folder=">[XSS]

    The next files (attachment.html, calendar.html), can be accessed without
    knowing user's session ID number, making it easier to use them for
    exploitation:
    /attachment.html?attachmentpage_text_error=">[XSS]
    /calendar.html?id=1&schedule=admin%40merakdemo.com&cv=n&folder=">[XSS]
    /calendar.html?id=1&schedule=koko%40merakdemo.com&sf=addevent&cv=d&ct=">[XSS]
    /calendar.html?id=[id]&cv=">[XSS]&ct=[ct]&sf=addevent&ESdhour=8

    It is possible to inject a XSS in messages.

    Example:
    Open your mail and write a new message of the sorts of:
    < IMG alt="" hspace=0 src="javascript:alert(document.cookie)"
    align=baseline border=0>< IFRAME src="http://www.google.com"></body>
    </html> </IFRAME>

    Click on the HTML message checkbox (in order to send it in HTML format).

    The XSS will be executed on your browser. If you send the message, the XSS
    will be also executed once the victim reads the email.

    Full Path Disclosure
    Some variables of adress.html can cause that a remote user may be able to
    determine the installation path.

    Example:
    Accessing the following URL:
    /mail/address.html?id=[id]&sort=criolabs&selectsort=criolabs&global=criolabs&showlite=criolabs&category=criolabs&cserver=&ext=, will return:

    Warning: reset(): Passed variable is not an array or object in C:\Archivos
    de programa\Merak\html\mail\address.html on line 565

    Warning: Variable passed to each() is not an array or object in
    C:\Archivos de programa\Merak\html\mail\address.html on line 566

    Warning: reset(): Passed variable is not an array or object in C:\Archivos
    de programa\Merak\html\mail\inc\function.address.php on line 100

    Warning: Variable passed to each() is not an array or object in
    C:\Archivos de programa\Merak\html\mail\inc\function.address.php on line
    101

    Another example is to access the following URL:
    /calendar.html?id=6213dcc45fdbccc9af207d32722b93a7&cv=%22criolabs&ct='criolabs&sf='criolabs, which will return:

    Warning: mktime(): Windows does not support negative values for this
    function in C:\Archivos de
    programa\Merak\html\mail\inc\function.calendar.php on line 413

    Warning: date(): Windows does not support dates prior to midnight
    (00:00:00), January 1, 1970 in C:\Archivos de
    programa\Merak\html\mail\inc\function.calendar.php on line 413

    Warning: mktime(): Windows does not support negative values for this
    function in C:\Archivos de
    programa\Merak\html\mail\inc\function.calendar.php on line 417

    Warning: mktime(): Windows does not support negative values for this
    function in C:\Archivos de
    programa\Merak\html\mail\inc\function.calendar.php on line 420

    Warning: date(): Windows does not support dates prior to midnight
    (00:00:00), January 1, 1970 in C:\Archivos de
    programa\Merak\html\mail\inc\function.calendar.php on line 420

    Warning: date(): Windows does not support dates prior to midnight
    (00:00:00), January 1, 1970 in C:\Archivos de
    programa\Merak\html\mail\inc\function.calendar.php on line 350

    Exposure of PHP Files:
    The server allows a remote user to download any PHP file from the server.
    Normally web servers will execute the content found in the PHP file
    instead of allow their download.

    Examples:
    http://localhost:32000/mail/inc/function.php
    http://localhost:32000/mail/inc/function.view.php

    SQL Injection:
    There are numerous SQL Injection vulnerabilities in the calendar.html.
    These SQL injection vulnerabilities allow a remote user to inject
    arbitrary SQL commands.

    Examples:
    /calendar.html?id=1'&schedule=[SQL]
    /calendar.html?id=1&schedule=koko%40merakdemo.com&sf=addevent&cv=d&ct=';'&Eid=criolabs'

    Disclosure Timeline:
    Vendor Contacted: Wed, 04 Aug 2004
    Thu, 12 Aug 2004: Release of Merak Mail Server 7.5.2

    Solution:
    Download the new release available at:
    <http://www.MerakMailServer.com/Download/>
    http://www.MerakMailServer.com/Download/.

    ADDITIONAL INFORMATION

    The information has been provided by Criolabs staff.
    The original article can be found at:
    <http://www.criolabs.net/advisories/Merak.txt>
    http://www.criolabs.net/advisories/Merak.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] PHP-FUSION Various Vulnerabilities"

    Relevant Pages

    • Re: Windows File Protection
      ... now i have to monitor the server to see how ... reinstalling Windows 2003 SP2 may be the answer if it asks for the CD ... Do you have a folder: C:\windows\ServicePackFiles? ... Warning Network interface driver file is more than one year old: ...
      (microsoft.public.windows.server.sbs)
    • Vulnerabilities in Merak Webmail Server.
      ... Company: Merak Mail Server, Inc. ... Plataforms: All Windows platforms ... Merak's WebMail Server is used by thousands of companies around the world to provide secure anytime-anywhere access to home, office or ISP email via a browser or WAP-enabled device. ...
      (Bugtraq)
    • Re: Windows File Protection
      ... now i have to monitor the server to see how the ... reinstalling Windows 2003 SP2 may be the answer if it asks for the CD again ... Do you have a folder: C:\windows\ServicePackFiles? ... Warning Network interface driver file is more than one year old: ...
      (microsoft.public.windows.server.sbs)
    • Re: Windows File Protection
      ... you are very helpful and I appreciate your prompt responses. ... Then when the server suggests i have the wrong CD, ... Exchange and Windows Server but may not be up-to-date with the ... Warning Network interface driver file is more than one year old: ...
      (microsoft.public.windows.server.sbs)
    • [TOOL] IPFront - Windows 2000 and 2003 Hardening GUI
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... of systems Windows often are seen in the necessity to navigate different ... IPFront is nothing more that a small Front End that receives ... - Windows 2000 Advance Server SP 4 ...
      (Securiteam)