[NT] MailEnable Web Mail Client Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

- - - - - - - - -

MailEnable Web Mail Client Multiple Vulnerabilities


" <http://www.mailenable.com/default.asp> MailEnable's mail server
software provides a powerful, scalable hosted messaging platform for
Microsoft Windows. MailEnable offers stability, unsurpassed flexibility
and an extensive feature set which allows you to provide cost-effective
mail services."

Multiple vulnerabilities have been discovered in MailEnable Web Mail
Client, which can be exploited by malicious people to conduct cross-site
scripting, cross-site request forgery, and script insertion attacks.


Vulnerable Systems:
* MailEnable Professional Edition version 2.351
* (Other versions may also be affected.)

1) Scripts in email messages are not properly sanitised before being
displayed in the email message. This can be exploited to insert arbitrary
HTML and script code, which is executed in a user's browser session in
context of an affected site when a user views a specially crafted email

2) Input passed to the "ID" parameter in
mewebmail/base/default/lang/EN/Forms/MAI/list.asp, and
mewebmail/base/default/lang/EN/Forms/VCF/list.asp is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site. Successful exploitation requires that the
target user is logged in.

3) The application allows users to send messages via HTTP requests without
performing any validity checks to verify the request. This can be
exploited to change a user's settings by e.g. tricking a target user into
visiting a malicious website.

Update to the latest version.

Disclosure Timeline:
* 06/02/2007 - Vendor notified.
* 06/02/2007 - Vendor response.
* 13/02/2007 - Request for status update.
* 13/02/2007 - Vendor response with fix information.
* 14/02/2007 - Public disclosure.


The information has been provided by Secunia Research.
The original article can be found at:


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.