Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.2

From: David Alonso Pérez (kamborio_at_gmail.com)
Date: 01/28/05

  • Next message: Sune Kloppenborg Jeppesen: "[ GLSA 200501-39 ] SquirrelMail: Multiple vulnerabilities" 
    Date: Fri, 28 Jan 2005 14:56:19 +0000
To: bugtraq@securityfocus.com

    WebAdmin is a web application to administer MDaemon and RelayFax. It
    can be run on its own or as an ISAPI application under Microsoft
    Internet Information Services (IIS). MDaemon is an e-mail server for
    Microsoft Windows. RelayFax is a fax server also for Microsoft
    Windows. Both applications have been developed by the same company
    than WebAdmin, Alt-N Technologies, and is not included by default with
    MDaemon, nor with RelayFax.

    From Alt-N Website:

    WebAdmin allows administrators to securely manage MDaemon, RelayFax,
    and WorldClient from anywhere in the world. This convenient remote
    administration tool is FREE of charge and is a separate download from
    MDaemon.

    The current version of WebAdmin is 3.0.4.

    http://www.altn.com/products/default.asp?product%5Fid=WebAdmin

    The Problems:

    (1) Cross Site Scripting (XSS)
        ==========================

    A Cross Site Scripting exists on the useredit_account.wdm file. Example:
    http://server/WebAdmin/useredit_account.wdm?user=%3Cscript%3Ealert('test')%3C/script%3E

    (2) Users can edit all the user accounts
        ====================================

    There is no validation on the useredit_account.wdm script to disable
    access to other user accounts. Example:
    http://server/WebAdmin/useredit_account.wdm?user=otheruser@domain

    (3) HTML Injection
        ==============

    The file modalfram.wdm allows to load any web page to make it look as
    if comes from the WebAdmin server. Example:
    http://server/WebAdmin/modalframe.wdm?file=http://other_server/page.wdm

    - This vulnerabilities would not enable an attacker to gain any
    privileges on an affected computer.

    - An attacker will need to be able to logon to WebAdmin to take
    advantage of vulnerability number 2, but he will only be able to view
    or modify the settings that he can modify on his own account (for
    example, if an user cannot modify his own "Name", he won't be able to
    modify the name in any other account, but if he can modify his own
    "Name", he will be able to modify the name in any other account).

    Vendor notified on December 14, 2004.
    Vendor replied on December 14, 2004.
    Patch released on December 14, 2004.

    David A. Pérez
                                                          
     _ _ _
    | | __ __ _ _ __ ___ | |__ ___ _ __ (_) ___
    | |/ / / _` || '_ ` _ \ | '_ \ / _ \ | '__|| | / _ \
    | < | (_| || | | | | || |_) || (_) || | | || (_) |
    |_|\_\ \__,_||_| |_| |_||_.__/ \___/ |_| |_| \___/
          El perdón es la venganza de los buenos (anónimo)

    http://www.kamborio.com/?Section=Articles&Mode=select&ID=56

  • Next message: Sune Kloppenborg Jeppesen: "[ GLSA 200501-39 ] SquirrelMail: Multiple vulnerabilities"