EMU Webmail Input Validation Errors Disclose the Web Root Directory and Allow Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1005305 |
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Updated: Sep 27 2002
|
Original Entry Date: Sep 27 2002
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 5.1
|
Description: Several vulnerabilities were reported in EMU Webmail. A remote user can determine the web root directory path and can conduct cross-site scripting attacks against other EMU Webmail users.
A remote user can reportedly determine the web root path by inserting the following type of string into the e-mail form:
<script>alert(@)</script>
It
is also reported that the "Form Object Field" on the main page does not filter HTML tags. A remote user can create a specially
crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser.
The code will originate from the EMU Webmail site and will run in the security context of that site. As a result, the code will
be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently
submitted by the target user via web form to the site, or take actions on the site acting as the target user. This flaw is reportedly
due to the failure of emumail.cgi to strip script tags.
A demonstration exploit URL is provided:
http://[server]/emumail.cgi?><script>alert(document.cookie)</script
>
|
Impact: A remote user can determine the web root directory path.
A remote user can access the target user's cookies (including authentication
cookies), if any, associated with the site running EMU Webmail, access data recently submitted by the target user via web form to
the site, or take actions on the site acting as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.emumail.com/solutions/webmail/ (Links to External Site)
|
Cause: Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: FVS <fab@aisec.net>
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 26 Sep 2002 14:18:13 -0400
From: FVS <fab@aisec.net>
Subject: [VulnWatch] EMU Webmail 5.0 XSS vuln, and webroot path disclosure
|
--=_0_24877_1033064293
Content-Type: text/plain; format=flowed; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
Hey all...
Found a couple vulns in EMU Webmail 5.0. You'll find the Advisories
attached..
Thanks,
fab@aisec.net
http://www.aisec.net
Information Security Team.
--=_0_24877_1033064293
Content-Disposition: attachment; filename="AIS-0004-EMU Webmail webroot Path disclosure.txt"
Content-Type: text/plain; charset="iso-8859-1"; name="AIS-0004-EMU Webmail webroot Pat
h disclosure.txt"
Content-Transfer-Encoding: 7bit
AIS advisory # 0004 EMU Webmail Webroot Path Disclosure
==========Software Affected==========
EMU Webmail 5.0
With vendor patches applied. The patches include: http://www.emumail.com/bin/PATCH-ApacheWebserver-01
.tar.gz
And:
http://www.emumail.com/bin/EmuWebmail-5.1.0-PATCH101.tar.gz
==========Vendor==========
http://www.emumail.com
==========Description==========
Our premiere messaging product gives your employees and customers the flexibility of checking
their email through your branded
interface from any computer connected to the internet.
==========Vulnerability==========
Webroot Path Disclosure
By inserting a string such into the Email form:
<script>alert(@)</script>
Will return:
"Software error:
/\s+)my.com)</script>\s+/: unmatched () in regexp at /home/EMU/webmail/html/emumail.cgi line 83
4.
Giving you the path to the webroot.
============Fix===============
parse script tags when they're processed?
=================================================================================
fab@aisec.net
http://www.aisec.net
Information Security Team.
--=_0_24877_1033064293
Content-Disposition: attachment; filename="AIS-0005-EMU Webmail XSS.txt"
Content-Type: text/plain; charset="iso-8859-1"; name="AIS-0005-EMU Webmail XSS.txt"
Content-Transfer-Encoding: 7bit
AIS advisory # 0005 XSS in Emu Webmail 5.0
==========Software Affected==========
Emu Webmail 5.0
With vendor patches applied. The patches include: http://www.emumail.com/bin/PATCH-ApacheWebserver-01
.tar.gz
And:
http://www.emumail.com/bin/EmuWebmail-5.1.0-PATCH101.tar.gz
===============Vendor================
http://www.emumail.com
==============Summary================
Cross Site Scripting Attack in Emu Webmail 5.0
=============Description=============
Our premiere messaging product gives your employees and customers the flexibility of checking
their email through your branded
interface from any computer connected to the internet.
============Vulnerability============
The failure to strip script tags in emumail.cgi allows for XSS type of attack.
Entering the string below into the email address field on the main form:
<script>alert(document.cookie)</script>
Depending on what functions you throw in there, you get certain contents of the emumail.cgi file.
============Discovered by============
fab@aisec.net
http://www.aisec.net
Information Security Team.
================FIX (if any) ========
--=_0_24877_1033064293--
|
|
