Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
Mailtraq E-mail Server Discloses Script Source Code to Remote Users and Permits Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1006914 |
|
SecurityTracker URL: http://securitytracker.com/id/1006914
|
|
CVE Reference:
GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Jun 4 2003
|
Impact:
Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 2.3.0.1413
|
Description:
Ziv Kamir reported several vulnerabilities in the Mailtraq e-mail server. A remote user can view ASP source code, determine the installation path, and conduct cross-site scripting attacks.
It is reported that a remote user can append a period character ('.') to a URL request for an ASP script to view the source of the ASP script. A demonstration exploit URL is provided:
http://[target]/browse.asp.
A remote authenticated user with WebMail privileges can reportedly determine the installation path by requesting the following type of URL:
http://[target]/browse.asp*
It is also reported that the 'browse.asp' script displays user-supplied input without filtering HTML code from the input. A remote user can create a specially crafted URL that, when loaded by a target Mailtraq WebMail user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Mailtraq server and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Some demonstration exploit URLs are provided:
http://[target]/browse.asp?cfolder=<script>alert(document.cookie)</script>
http://[target]/browse.asp?<script>alert(document.cookie)</script>
The vendor has reportedly been notified (on June 4, 2003).
|
Impact:
A remote user can view ASP source code.
A remote authenticated WebMail user can determine the installation path.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the Mailtraq server, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
|
Solution:
No solution was available at the time of this entry.
|
Vendor URL: www.mailtraq.com/ (Links to External Site)
|
Cause:
Access control error, Exception handling error, Input validation error
|
Underlying OS:
Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 4 Jun 2003 06:46:26 -0700 (PDT)
Subject: Vulnerability in The Mailtraq Server
|
This is a multi-part message in MIME format.
--------------060502030000080704030701
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hi ,
Attach TxT file .
------------------------------------------------------------------------
Do you Yahoo!?
The New Yahoo! Search
<http://us.rd.yahoo.com/search/mailsig/*http://search.yahoo.com> -
Faster. Easier. Bingo.
--------------060502030000080704030701
Content-Type: text/plain;
name="Mailtraq.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline;
filename="Mailtraq.txt"
04/06/03
Ziv Kamir
---------
-------------------------------------------------------
Application: Mailtraq
Web Site: http://www.mailtraq.com/
Versions: 2.3.0.1413
Platform: Windows
Bug:
1) A remote user can view ASP source code.
2) Disclosing the full path of the Mailtraq installation directory.
3) CSS ( Cross Site Scripting )
Credits:
########
#################################
# #
# Ziv Kamir #
# #
# Email : vulncode@yahoo.com #
# #
# #
#################################
---------------------
1) Introduction
2) Bug
3) The Code
4) Fix
===============
1) Introduction
===============
Mailtraq 2.2 is the alternative to Microsoft® Exchange™. It is our most powerful email server yet, providing industrial-strength email
services for your organisation using POP3, SMTP, IMAP, LDAP and HTTP - compatible with all major email clients. A Windows-based software
solution, Mailtraq provides a secure platform, with on-line virus detection integration, spam filtering, webmail, instant messaging
and more ...
=======
2) Bug
=======
1) Any remote user can append a '.' char to the end of a URL for a ASP file to view the source code of the file.
2) Any authorized user that have the WebMail option can Disclosing the full path of the Mailtraq installation directory .
===========
3) The Code
===========
1) http://10.10.10.1/browse.asp.
2) http://10.10.10.1/browse.asp*
Response :
==========
ERROR
Cannot open file C:\Program Files\Mailtraq\WebMail\browse.asp*
3) http://10.10.10.1/browse.asp?cfolder=<script>alert(document.cookie)</script>
or
http://10.10.10.1/browse.asp?<script>alert(document.cookie)</script>
======
4) Fix
======
Date of Vendor Notification:
04-06-03
Status:
==============================================================================================
*** The Data is for educational purpose only. ***
The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or special damages.
==============================================================================================
--------------060502030000080704030701--
|
|
Go to the Top of This SecurityTracker Archive Page
|
