what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

surgemail22g3.txt

surgemail22g3.txt
Posted Mar 24, 2005
Authored by Tan Chew Keong | Site security.org.sg

A vulnerability was found in SurgeMail's Webmail file attachment upload feature. This vulnerability may be exploited by a malicious Webmail user to upload files to certain locations on the server, obtain file listings of certain directories, and/or send certain files on the server to him/herself. Two XSS vulnerabilities were also found.

tags | exploit, vulnerability
SHA-256 | bc8b30081d411a63cbb46392a69ad71e4bd6cf541f5daa935b7d38c891ea4700

surgemail22g3.txt

Change Mirror Download


SIG^2 Vulnerability Research Advisory

SurgeMail Webmail Attachment Upload and XSS Vulnerabilities

by Tan Chew Keong
Release Date: 23 Mar 2005

ADVISORY URL
http://www.security.org.sg/vuln/surgemail22g3.html


SUMMARY

SurgeMail (http://netwinsite.com/surgemail/) is a next generation Mail Server - Combining features, performance and ease of use into a single integrated product. Ideal on Windows NT/2K, or UNIX (Linux, Solaris etc) and supports all the standard protocols IMAP, POP3, SMTP, SSL, ESMTP.

A vulnerability was found in SurgeMail's Webmail file attachment upload feature. This vulnerability may be exploited by a malicious Webmail user to upload files to certain locations on the server, obtain file listings of certain directories, and/or send certain files on the server to him/herself. Two XSS vulnerabilities were also found.


TESTED SYSTEM

SurgeMail Version 2.2g3 Windows on English Win2K SP4.


DETAILS

This advisory document two Webmail vulnerabilities found in SurgeMail server. The first is a file attachment upload vulnerability. This vulnerability may be exploited by a malicious Webmail user to upload files to certain locations on the server, obtain file listings of certain directories, and/or send certain files on the server to him/herself. The second is a Cross-Site Scripting (XSS) vulnerability.

1. File Attachment Upload Vulnerability.

SurgeMail allows a logon user to attach files when composing a new email via the Webmail interface. Uploaded file attachments are temporarily stored in the c:\surgemail\web_work\u_xx\xxxx@hostname@127_0_0_1\attach\SomeRandomNumber\ directory. In particular, the value of SomeRandomNumber is part of this POST request (attach_id parameter) and is under the attacker's control. The server will create the directory "SomeRandomNumber" if it does not exist. By using directory traversal characters, it is possible to cause the uploaded files to be written to other directories.

2. Cross-Site Scripting (XSS) Vulnerabilities.

A user is allowed to configure an email auto-reply message using the Webmail interface. This auto-reply message consist of a message subject and a message header. It is possible to inject javascript in both these fields. If the Webmail administrator views this user's auto-reply message settings, the injected javascript will be executed on his browser. This may be exploited by a malicious user to steal the Webmail administrator's cookies or to redirect the administrator's browser to malicious websites.

Another XSS vulnerability occurs when webmail.exe is displaying an error message in response to an invalid value in the page parameter. The error message also reveals the installation path.


PATCH

Upgrade to the latest version of SurgeMail (Version 3.0c2 or later).


DISCLOSURE TIMELINE

18 Mar 05 - Vulnerability Discovered.
19 Mar 05 - Vulnerability Verification.
19 Mar 05 - Initial Vendor Notification.
22 Mar 05 - Vendor replied with fixed version.
23 Mar 05 - Public Release.


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    23 Files
  • 19
    Sep 19th
    48 Files
  • 20
    Sep 20th
    36 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    38 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close