[NT] Multiple Vulnerabilities in Alt-N WebAdmin

From: SecuriTeam (support_at_securiteam.com)
Date: 01/31/05

  • Next message: SecuriTeam: "[NT] Defeating Microsoft Windows XP SP2 Heap Protection and DEP Bypass"
    To: list@securiteam.com
    Date: 31 Jan 2005 08:53:49 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.

    - - - - - - - - -

      Multiple Vulnerabilities in Alt-N WebAdmin


     <http://www.altn.com/products/default.asp?product%5Fid=WebAdmin> WebAdmin
    is "a web application to administer MDaemon and RelayFax. It can be run on
    its own or as an ISAPI application under Microsoft Internet Information
    Services (IIS). MDaemon is an e-mail server for Microsoft Windows.
    RelayFax is a fax server also for Microsoft Windows".

    Several vulnerabilities in WebAdmin allows an attacker to perform Cross
    Site Scripting attack as well as access and change other users' data.


    Vulnerable Systems:
     * Alt-N WebAdmin version 3.0.2 and lower

    Immune Systems:
     * Alt-N WebAdmin version 3.0.4

    Cross Site Scripting (XSS):
    A Cross Site Scripting exists on the useredit_account.wdm file. Example:

    Users can edit all the user accounts:
    There is no validation on the useredit_account.wdm script to disable
    access to other user accounts.


    HTML Injection:
    The file modalfram.wdm allows to load any web page to make it look as if
    comes from the WebAdmin server.


    An attacker will need to be able to logon to WebAdmin to take advantage of
    the second vulnerability, but he/she will only be able to view or modify
    the settings that he can modify on their own account (for example, if an
    user cannot modify their own "Name", he/she won't be able to modify the
    name in any other account, but if it is possible to modify their own
    "Name", the attacker will be able to modify the name in any other

    Disclosure Timeline:
     * Vendor notified on December 14, 2004.
     * Vendor replied on December 14, 2004.
     * Patch released on December 14, 2004.


    The information has been provided by <mailto:kamborio@gmail.com> David
    Alonso P rez.


    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NT] Defeating Microsoft Windows XP SP2 Heap Protection and DEP Bypass"