eEye - Digital Security Team Alert
   
   Multiple Web Interface Security Holes
   Systems Affected
   CMail 2.3
   FTGate 2,1,2,1
   NTMail 4.20
   Release Date
   May 26, 1999
   Advisory Code
   AD05261999
   Description:
   The following holes were found while testing Retina against a few various services that have web
   based interfaces. The holes are nothing amazing just common amongst many web based interfaces. We
   are sure some other software will be found with similar holes... if you come across some contact
   info@eeye.com and let us know.
   CMail
   The default location of the web based interface for CMail is C:\Program Files\Computalynx\CMail
   Server\pages\. It is a simple hole. For example if we were to load
   http://[server]:8002/../spool/username/mail.txt in our web browser we would be looking at the email
   for that user. Note: Mail.txt is not the real mail file. There is one minor problem... reading of
   files is not totally straight forward. It seems CMail has some mechanism of what it will read or
   not. If you have a text file with no carriage returns in it CMail will not read it. There also
   exists multiple buffer overflows within the various SMTP and POP server functions of CMail. Yes they
   are exploitable. >:-]
   FTGate
   Same as above basically. http://[server]:8080/../newuser.txt The only difference is that FTGate
   doesn't seem to mind if the file has the carriage returns or not.
   NTMail
   NTMail suffers from the same programming flaw... http://[server]:8000/../../../../../boot.ini.
   There is other server software out there that suffers from these common holes. An average of 65% of
   the software we have tested thus far has had problems with restricting the path that they allow.
   NTMail as well as the other two can be run as a service, NTMail does it by default, therefore you
   can read files as SYSTEM on most of them.
   Fixes
   Disable the web interfaces where applicable until the vendors release patches.
   Vendor Status
   All vendors have been notified.
   Copyright (c) 1999 eEye Digital Security Team
   
   Permission is hereby granted for the redistribution of this alert electronically. It is not to be
   edited in any way without express consent of eEye. If you wish to reprint the whole or any part of
   this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for
   permission.
   
   Disclaimer:
   
   The information within this paper may change without notice. Use of this information constitutes
   acceptance for use in an AS IS condition. There are NO warranties with regard to this information.
   In no event shall the author be liable for any damages whatsoever arising out of or in connection
   with the use or spread of this information. Any use of this information is at the user's own risk.
   
   Please send suggestions, updates, and comments to:
   
   eEye Digital Security Team
   
   info@eEye.com
   http://www.eEye.com