SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Server)  >   GMS Mail (NTMail) Vendors:   Gordano
Gordano Messaging Suite (GMS) Can Be Crashed By Remote Users Sending Certain Invalid URLs
SecurityTracker Alert ID:  1007676
SecurityTracker URL:  http://securitytracker.com/id/1007676
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 11 2003
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): version 9, build 3138
Description:   Some vulnerabilities were reported in the Gordano Messaging Suite (GMS) mail server. A remote user can cause the web-based services to crash. A remote authenticated user can obtain information about the system.

It is reported that a remote user can send an HTTP GET request such as "/../.." to the GMS web server on TCP port 80 to cause the 'www.exe' process to crash. As a result, all GMS web-based services are shutdown, the report said. The service must be restarted to return to normal operations.

On the Linux platform, the 'www' process does not crash, but rather, fails to timeout. In this case, the remote user can open multiple connections to cause the target server to become busy and deny service to other users.

It is also reported that a remote authenticated user can access the 'alertlist.mml' script to obtain information about the system, including usernames, domains, login times, and other information. A demonstration exploit URL is provided:

http://[target]:8000/admin/reports/alertlist.mml
Impact:   A remote user can cause the GMS web-based services to crash.

A remote authenticated user can obtain information about the system, such as usernames, domains, login times, and other information.
Solution:   The vendor has provided the following fixes:

Linux:

ftp://ftp.gordano.com/gms/3138/hotfixes/h20030905/linux/www_h20030905.zip

Windows:

ftp://ftp.gordano.com/gms/3138/hotfixes/h20030905/windows/www_h20030905.zip
Vendor URL:  www.gordano.com/Technology/index.htm (Links to External Site)
Cause:   Access control error, Exception handling error
Underlying OS:   Linux (Any), UNIX (AIX), UNIX (Solaris - SunOS), Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Wed, 10 Sep 2003 00:06:13 -0700 (PDT)
Subject:  Gordano Messaging Suite - Multiple Vulnerabilities


Release Date: 09/04/2003 

TITLE 
===== 
Gordano Messaging Suite – Multiple Vulnerabilities 

DESCRIPTION 
=========== 
“Gordano Messaging Suite is the powerful messaging
server running on Windows, Linux, Solaris and AIX. It
is being used by over twenty four thousand customers,
in more than ninety countries, covering all sectors 
(Airlines, Press, Government Agencies, Education,
Industry, etc..)” 

Gordano Messaging Suite is being widely used by some
major organizations such as Compaq, Xerox, NASA, Cisco
System, AT&T, FedEx etc… 

More information at http://www.gordano.com 

PROBLEMS 
========= 
Version : Gordano Messaging Suite version 9, build
3138 (latest build) 
Tested Platform : Windows 2000, Windows XP
Professional, Linux(x86) 

Multiple vulnerabilities in Gordano Messaging Suite
(GMS) result in DoS attack and information disclosure
(usernames, login time, domains, etc…). 

DETAILS 
======= 
[Vulnerability #1] Remote DoS 

x:\<Gordano Path>/bin/WWW.exe listens on the following
ports to provide GMS Administration, WebMail
Professional, WebMail Express, WebMail Mobile, Instant
Messaging, and Web Server services to users: 80, 8000,
8025, 8081, 8888, 9000. 

When a user sending a request like this /../.. to GMS
Web Server at port 80 will cause www.exe process
terminated and all services that WWW.exe provides are
shutdown immediately. 

~$ telnet 192.168.1.69 
Trying 192.168.1.69... 
Connected to 192.168.1.69 
Escape character is '^]'. 
GET /../.. HTTP/1.0 

Connection closed by foreign host. 

On Linux, the vulnerability doesn’t cause the
/gordano/bin/WWW process terminated but it never times
out and if an attacker opens up like 15-20 connections
sending /../.. requests it will probably enough to
keep GMS Server busy and deny providing services to
other legitimate users. 

Restarting the service is needed in order to gain
normal functionality. 

[Vulnerability #2] Information Disclosure [require
valid user credential] 

Alertlist.mml provides information about users who
have logged in to the GMS Server and discloses some
useful information to the attackers such as usernames,
domains, logged in time, etc…. and it’s supposed to be
accessed by GMS Server's Administrator only but a
normal WebMail user can also access to that script
without the need of login as an admin.
http://www.victim.com:8000/admin/reports/alertlist.mml


VENDOR STATUS 
============== 
Vendor has verified the issues and click on the
following links to download the patch. 

Linux platform :
ftp://ftp.gordano.com/gms/3138/hotfixes/h20030905/linux/www_h20030905.zip

Windows platform :
ftp://ftp.gordano.com/gms/3138/hotfixes/h20030905/windows/www_h20030905.zip


Author: Phuong Nguyen 

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC