what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Exploit Labs Security Advisory 2004.2

Exploit Labs Security Advisory 2004.2
Posted Jun 7, 2004
Authored by Donnie Werner, Exploit Labs | Site exploitlabs.com

SurgeMail 1.x is susceptible to a cross site scripting attack.

tags | advisory, xss
SHA-256 | e147d20f72f67a6e383c4c5c6754d254d02006b048bfcbfb5ace73ccb50f3091

Exploit Labs Security Advisory 2004.2

Change Mirror Download
------------------------------------------------------------
- EXPL-A-2004-002 exploitlabs.com Advisory 028 -
------------------------------------------------------------
- Surgemail -



OVERVIEW
========
"SurgeMail is a next generation Mail Server -
Combining features, performance and ease of
use into a single integrated product.
Ideal on Windows NT/2K, or Unix (Linux, Solaris etc)
and supports all all the standard protocols
IMAP, POP3, SMTP, SSL, ESMTP."


Surgmail suffers from two basic remote vulnerabilities...

1. Information Disclosure, by providing a non existant filename, the STDERR
is rendered to the user, disclosing physical directory structure.

2. XSS ( cross site scripting ) via the login form, and in particular
the "username" field. This allows for credential theft via externaly
hosted malicous script. This affects both HTTP and HTTPS access vectors.



AFFECTED PRODUCTS
=================
Surge Mail
( Win32 and *nix through versions 1.9 )

WebMail v3.1d Copyright © NetWin Ltd

http://netwinsite.com/index.html
http://netwinsite.com/overviews.htm
http://netwinsite.com/server/email_server_software.htm


DETAILS
=======
1. Information Disclosure
Surge mail's web based interface reveals physical
directory structure by requesting a non-existant
(404) request.


http://x.x.x.x/[non-existant request]

http://x.x.x.x:7080/scripts/
"Could not create process D:\surgemail/scripts/ Access Denied
Is the url correct, check for a log file in the scripts directory
and run the process in a shell window (D:\surgemail)"

http://x.x.x.x:7080/scripts/err.txt
"Could not create process D:\surgemail/scripts/err.txt File Not Found
Is the url correct, check for a log file in the scripts directory
and run the process in a shell window (D:\surgemail)"

http://x.x.x.x/scripts/err.txt
CGI did not respond correctly, it probably exited abnormally or the file
may not exist or have +x access (/usr/local/surgemail/scripts) (err.txt) ()



2. XSS ( cross site scripting )

The login form username field is vunerable to XSS


================ snip ========================

http://x.x.x.x:7080/
http://x.x.x.x:7080/<script>alert('Vulnerable')</script>
http://x.x.x.x:7080/<script>alert(document.cookie)</script>

================ snip ========================



SOLUTION
========
Vendor contacted May 16, 2003 support-surgemail@netwinsite.com
Vendor acknowlegement recieved May 17, 2003

Vendor Patch / Version 2.0c released June 2, 2004
and may be obtained at
ftp://ftp.netwinsite.com/pub/surgemail/beta
http://www.netwinsite.com/surgemail/help/updates.htm


PROOF OF CONCEPT
================
( see DETAILS )


CREDITS
=======
This vulnerability was discovered and researched by
Donnie Werner of exploitlabs

Donnie Werner

mail: morning_wood@exploitlabs.com
--
web: http://exploitlabs.com
web: http://zone-h.org



Login or Register to add favorites

File Archive:

February 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    11 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    5 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    0 Files
  • 6
    Feb 6th
    0 Files
  • 7
    Feb 7th
    0 Files
  • 8
    Feb 8th
    0 Files
  • 9
    Feb 9th
    0 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    0 Files
  • 13
    Feb 13th
    0 Files
  • 14
    Feb 14th
    0 Files
  • 15
    Feb 15th
    0 Files
  • 16
    Feb 16th
    0 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close