SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Generic)  >  602Pro LAN Suite Vendors:  Software602
602Pro LAN SUITE Discloses Directory Listings and Installation Path to Remote Users
SecurityTracker Alert ID:  1009255
CVE Reference:  CAN-2004-0335 ,  CAN-2004-0336 ,  CAN-2004-0337   (Links to External Site)
Updated:  Mar 23 2004
Original Entry Date:  Feb 28 2004
Impact:  Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 1.04
Description:  Rafel Ivgi (The-Insider) reported a vulnerability in 602Pro LAN SUITE. A remote user can view directory listings on the system, determine the physical installation path, and conduct cross-site scripting attacks. [Editor's note: The vendor disputes some of these claims.]

It is reported that a remote user user can use the following URLs to obtain a directory listing [CVE: CAN-2004-0335]:

http://<host>/index.html - directory listing
http://<host>/cgi-bin/
http://<host>/users/

[Editor's note: The vendor reports that this is a configuration option. The user can use the 'Directory browsing' feature to enable or disable this behavior.]

It is reported that the login form ('http://<host>/mail/') contains a hidden variable 'Mail602Dir' that discloses the LAN SUITE installation path [CVE: CAN-2004-0336]. [Editor's note: The vendor has confirmed this flaw.]

It is also reported that 'index.html' does not filter HTML code from user-supplied input before displaying the user-supplied information [CVE: CAN-2004-0337]. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the 602Pro LAN SUITE software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user. A demonstration exploit URL is provided:

http://<host>/index.html/<script>alert('XSS')</script>

[Editor's note: The vendor has been unable to reproduce this claim.]
Impact:  A remote user can view certain directory listings.

A remote user can determine the installation path.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the 602Pro LAN SUITE software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

[Editor's note: The vendor has confirmed the path disclosure vulnerability, has indicated that the directory listing feature is configurable by the user and, as such, is not a vulnerability, and has been unable to reproduce the cross-site scripting report.]
Solution:  The vendor has issued a fix for the path disclosure flaw in 602LAN SUITE 2004, available at:

http://www.software602.com/download/
Vendor URL:  www.software602.com/ (Links to External Site)
Cause:  Access control error, Input validation error
Underlying OS:  Windows (Any)
Reported By:  "Rafel Ivgi, The-Insider" <theinsider@012.net.il>
Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 11 2004 (Vendor Issues Fix) 602Pro LAN SUITE Discloses Directory Listings and Installation Path to Remote Users   (Brandon Sturgeon <brandon@software602.com>)
The vendor has issued a fix.


 Source Message Contents
Date:  Sat, 28 Feb 2004 15:12:19 +0200
From:  "Rafel Ivgi, The-Insider" <theinsider@012.net.il>
Subject:  LAN SUITE Web Mail 602Pro Multiple Vulnerabilities

 

#######################################################################

Application:   LAN SUITE Web Mail
Server:            WEB602/1.04
Vendors:         Software602, Inc
                         http://www.software602.com
Versions:        602Pro
Platforms:       Windows
Bug:                 Directory Listing, Local Path Disclosure and Cross Site
Scripting
Risk:                Medium
Exploitation:   Remote with browser
Date:               28 Feb 2004
Author:            Rafel Ivgi, The-Insider
E-mail:            the_insider@mail.com
Website:         http://theinsider.deep-ice.com

#######################################################################

1) Introduction
2) Bugs
3) The Code

#######################################################################

===============
1) Introduction
===============

Software602's PC Suite features a highly capable word processor,
spreadsheet, and photo editor/organizer--and it won't cost you a dime if
you're a
home user. (Commercial customers pay $60, and all users must register the
software
within 30 days to unlock all the features.) Can it compete feature for
feature with
Word and Excel? No, but it has the essential tools you use every day.
You can even get help, if you're willing to pay for it: E-mail support costs
$50 for
one year; phone support is $60 per incident.

#######################################################################

======
2) Bug
======
Directory Listing:
-----------------------
Upon refering to index.html directory listing of the folder is printed:
http://<host>/index.html - directory listing
http://<host>/cgi-bin/
http://<host>/users/


Local Path Disclosure:
-------------------------------
Inside the mail login form, the local path of the server's folder is
specified.
http://<host>/mail/
<input type="hidden" name="Mail602Dir" value="C:\LANSUITE">


Cross Site Scripting:
----------------------------
When reffering to index.html as folder, text and script injection is
available.
http://<host>/index.html/<script>alert('XSS')</script>

#######################################################################

===========
3) The Code
===========

Directory Listing:           http://<host>/index.html
Directory Listing:           http://<host>/cgi-bin/
Local Path Disclosure: <input type="hidden" name="Mail602Dir"
value="C:\LANSUITE">
Cross Site Scripting:
http://<host>/index.html/<script>alert('XSS')</script>

#######################################################################

---
Rafel Ivgi, The-Insider
http://theinsider.deep-ice.com

"Things that are unlikeable, are NOT impossible."


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC