what you don't know can hurt you

WebAdmin302.txt

WebAdmin302.txt
Posted Jan 29, 2005
Authored by David Alonso Perez

Alt-N WebAdmin, the web application used to administer MDaemon and RelayFax, is susceptible to cross site scripting, html injection, and unauthenticated account modification vulnerabilities. Versions 3.0.2 and below are susceptible.

tags | exploit, web, vulnerability, xss
SHA-256 | 3248495f1d679d6e5e1767f9bda0c7cfd2ea42a402d286793af304c0def1cfd0

WebAdmin302.txt

Change Mirror Download
WebAdmin is a web application to administer MDaemon and RelayFax. It
can be run on its own or as an ISAPI application under Microsoft
Internet Information Services (IIS). MDaemon is an e-mail server for
Microsoft Windows. RelayFax is a fax server also for Microsoft
Windows. Both applications have been developed by the same company
than WebAdmin, Alt-N Technologies, and is not included by default with
MDaemon, nor with RelayFax.

>From Alt-N Website:

WebAdmin allows administrators to securely manage MDaemon, RelayFax,
and WorldClient from anywhere in the world. This convenient remote
administration tool is FREE of charge and is a separate download from
MDaemon.

The current version of WebAdmin is 3.0.4.

http://www.altn.com/products/default.asp?product%5Fid=WebAdmin


The Problems:

(1) Cross Site Scripting (XSS)
==========================

A Cross Site Scripting exists on the useredit_account.wdm file. Example:
http://server/WebAdmin/useredit_account.wdm?user=%3Cscript%3Ealert('test')%3C/script%3E



(2) Users can edit all the user accounts
====================================

There is no validation on the useredit_account.wdm script to disable
access to other user accounts. Example:
http://server/WebAdmin/useredit_account.wdm?user=otheruser@domain



(3) HTML Injection
==============

The file modalfram.wdm allows to load any web page to make it look as
if comes from the WebAdmin server. Example:
http://server/WebAdmin/modalframe.wdm?file=http://other_server/page.wdm



- This vulnerabilities would not enable an attacker to gain any
privileges on an affected computer.

- An attacker will need to be able to logon to WebAdmin to take
advantage of vulnerability number 2, but he will only be able to view
or modify the settings that he can modify on his own account (for
example, if an user cannot modify his own "Name", he won't be able to
modify the name in any other account, but if he can modify his own
"Name", he will be able to modify the name in any other account).



Vendor notified on December 14, 2004.
Vendor replied on December 14, 2004.
Patch released on December 14, 2004.



David A. Pérez

_ _ _
| | __ __ _ _ __ ___ | |__ ___ _ __ (_) ___
| |/ / / _` || '_ ` _ \ | '_ \ / _ \ | '__|| | / _ \
| < | (_| || | | | | || |_) || (_) || | | || (_) |
|_|\_\ \__,_||_| |_| |_||_.__/ \___/ |_| |_| \___/
El perdón es la venganza de los buenos (anónimo)


http://www.kamborio.com/?Section=Articles&Mode=select&ID=56
Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    0 Files
  • 17
    May 17th
    0 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close