[NT] MailEnable Web Mail Client Multiple Vulnerabilities



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



MailEnable Web Mail Client Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

" <http://www.mailenable.com/default.asp> MailEnable's mail server
software provides a powerful, scalable hosted messaging platform for
Microsoft Windows. MailEnable offers stability, unsurpassed flexibility
and an extensive feature set which allows you to provide cost-effective
mail services."

Multiple vulnerabilities have been discovered in MailEnable Web Mail
Client, which can be exploited by malicious people to conduct cross-site
scripting, cross-site request forgery, and script insertion attacks.

DETAILS

Vulnerable Systems:
* MailEnable Professional Edition version 2.351
* (Other versions may also be affected.)

1) Scripts in email messages are not properly sanitised before being
displayed in the email message. This can be exploited to insert arbitrary
HTML and script code, which is executed in a user's browser session in
context of an affected site when a user views a specially crafted email
message.

2) Input passed to the "ID" parameter in
mewebmail/base/default/lang/EN/right.asp,
mewebmail/base/default/lang/EN/Forms/MAI/list.asp, and
mewebmail/base/default/lang/EN/Forms/VCF/list.asp is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code in a user's browser session in
context of an affected site. Successful exploitation requires that the
target user is logged in.

3) The application allows users to send messages via HTTP requests without
performing any validity checks to verify the request. This can be
exploited to change a user's settings by e.g. tricking a target user into
visiting a malicious website.

Solution:
Update to the latest version.
<http://www.mailenable.com/download.asp>
http://www.mailenable.com/download.asp

Disclosure Timeline:
* 06/02/2007 - Vendor notified.
* 06/02/2007 - Vendor response.
* 13/02/2007 - Request for status update.
* 13/02/2007 - Vendor response with fix information.
* 14/02/2007 - Public disclosure.


ADDITIONAL INFORMATION

The information has been provided by Secunia Research.
The original article can be found at:
<http://secunia.com/secunia_research/2007-38/advisory/>
http://secunia.com/secunia_research/2007-38/advisory/



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] ADOdb SQL Injection and PHP Code Execution Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... ADOdb SQL Injection and PHP Code Execution Vulnerabilities ... test script. ... Successful exploitation requires that the affected script is placed ...
    (Securiteam)
  • [NT] Horde Multiple XSS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... based on PHP and the Horde Framework." ... Horde is subject to a client side script injection vulnerability in the ...
    (Securiteam)
  • [UNIX] Mantis Bug Tracker Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... any HTML or script code can be injected. ... * Another XSS vulnerability can be found in the signup.php script (ex.: ... there is also a remote PHP code execution in the system. ...
    (Securiteam)
  • [NEWS] NetworkEverywhere Router Model NR041 Script Injection via DHCP
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Everywhere NR041 Cable/DSL 4-port router "connects multiple PCs to your ... malicious script code can be ... The code for such an HTML file is ...
    (Securiteam)
  • [NT] Snitz Forum 2000 Cross Site Scripting In User Registration Form
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A cross site scripting vulnerability has been found in the user ... When registering a new account the register.asp script fails to properly ... Vendor Status: ...
    (Securiteam)