eeye.99-05-26.mult_web_interface
3ad3f904295e6f4482cc582b41a652a6d50b69a0dee2928c7149a825a6a4fa20
eEye - Digital Security Team Alert
Multiple Web Interface Security Holes
Systems Affected
CMail 2.3
FTGate 2,1,2,1
NTMail 4.20
Release Date
May 26, 1999
Advisory Code
AD05261999
Description:
The following holes were found while testing Retina against a few various services that have web
based interfaces. The holes are nothing amazing just common amongst many web based interfaces. We
are sure some other software will be found with similar holes... if you come across some contact
info@eeye.com and let us know.
CMail
The default location of the web based interface for CMail is C:\Program Files\Computalynx\CMail
Server\pages\. It is a simple hole. For example if we were to load
http://[server]:8002/../spool/username/mail.txt in our web browser we would be looking at the email
for that user. Note: Mail.txt is not the real mail file. There is one minor problem... reading of
files is not totally straight forward. It seems CMail has some mechanism of what it will read or
not. If you have a text file with no carriage returns in it CMail will not read it. There also
exists multiple buffer overflows within the various SMTP and POP server functions of CMail. Yes they
are exploitable. >:-]
FTGate
Same as above basically. http://[server]:8080/../newuser.txt The only difference is that FTGate
doesn't seem to mind if the file has the carriage returns or not.
NTMail
NTMail suffers from the same programming flaw... http://[server]:8000/../../../../../boot.ini.
There is other server software out there that suffers from these common holes. An average of 65% of
the software we have tested thus far has had problems with restricting the path that they allow.
NTMail as well as the other two can be run as a service, NTMail does it by default, therefore you
can read files as SYSTEM on most of them.
Fixes
Disable the web interfaces where applicable until the vendors release patches.
Vendor Status
All vendors have been notified.
Copyright (c) 1999 eEye Digital Security Team
Permission is hereby granted for the redistribution of this alert electronically. It is not to be
edited in any way without express consent of eEye. If you wish to reprint the whole or any part of
this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.
Disclaimer:
The information within this paper may change without notice. Use of this information constitutes
acceptance for use in an AS IS condition. There are NO warranties with regard to this information.
In no event shall the author be liable for any damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this information is at the user's own risk.
Please send suggestions, updates, and comments to:
eEye Digital Security Team
info@eEye.com
http://www.eEye.com