[VulnWatch] EMU Webmail 5.0 XSS vuln, and webroot path disclosure

• Previous message: David Endler: "[VulnWatch] Errata: iDEFENSE Security Advisory 09.26.2002: Exploitable Buffer Overflow in gv"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: FVS <fab@aisec.net>
To: vulnwatch@vulnwatch.org
Date: Thu, 26 Sep 2002 14:18:13 -0400

Hey all...

Found a couple vulns in EMU Webmail 5.0. You'll find the Advisories
attached..

Thanks,

fab@aisec.net
http://www.aisec.net
Information Security Team.

AIS advisory # 0004 EMU Webmail Webroot Path Disclosure

==========Software Affected==========

EMU Webmail 5.0

With vendor patches applied. The patches include: http://www.emumail.com/bin/PATCH-ApacheWebserver-01.tar.gz

And:
http://www.emumail.com/bin/EmuWebmail-5.1.0-PATCH101.tar.gz

==========Vendor==========

http://www.emumail.com

==========Description==========

Our premiere messaging product gives your employees and customers the flexibility of checking their email through your branded interface from any computer connected to the internet.

==========Vulnerability==========

Webroot Path Disclosure

By inserting a string such into the Email form:

<script>alert(@)</script>

Will return:

"Software error:
/\s+)my.com)</script>\s+/: unmatched () in regexp at /home/EMU/webmail/html/emumail.cgi line 834.

Giving you the path to the webroot.

============Fix===============

parse script tags when they're processed?

=================================================================================

fab@aisec.net

http://www.aisec.net

Information Security Team.

AIS advisory # 0005 XSS in Emu Webmail 5.0

==========Software Affected==========

Emu Webmail 5.0

With vendor patches applied. The patches include: http://www.emumail.com/bin/PATCH-ApacheWebserver-01.tar.gz

And:
http://www.emumail.com/bin/EmuWebmail-5.1.0-PATCH101.tar.gz

===============Vendor================

http://www.emumail.com

==============Summary================

Cross Site Scripting Attack in Emu Webmail 5.0

=============Description=============

Our premiere messaging product gives your employees and customers the flexibility of checking their email through your branded interface from any computer connected to the internet.

============Vulnerability============

The failure to strip script tags in emumail.cgi allows for XSS type of attack.

Entering the string below into the email address field on the main form:

<script>alert(document.cookie)</script>

Depending on what functions you throw in there, you get certain contents of the emumail.cgi file.

============Discovered by============
fab@aisec.net

http://www.aisec.net

Information Security Team.

================FIX (if any) ========

• Previous message: David Endler: "[VulnWatch] Errata: iDEFENSE Security Advisory 09.26.2002: Exploitable Buffer Overflow in gv"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint