what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Rockliffe.txt

Rockliffe.txt
Posted Oct 30, 2005
Authored by Paul Craig | Site security-assessment.com

During an audit of a client, Security-Assessment.com discovered multiple critical vulnerabilities within the RockLiffe MailSite Express WebMail software. The vulnerabilities include the retrieval of arbitrary files from the web server, and bypassing attachment validation routines allowing for remote code execution. Exploitation details included. All versions of RockLiffe MailSite Express WebMail prior to version 6.1.22 are affected.

tags | exploit, remote, web, arbitrary, vulnerability, code execution
SHA-256 | 620b1bc3c58fa84fa86dd64e75b2c243efc3431f8bb6eb7c5bd361422269be97

Rockliffe.txt

Change Mirror Download
========================================================================
= Multiple vulnerabilities within RockLiffe MailSite Express WebMail
=
= Also available online at
=
http://www.security-assessment.com/Advisories/Rockliffe_Express_Webmail_Vuln
erabilities.pdf
=
= Vendor Website:
= http://www.rockliffe.com
=
= Affected Version:
= All versions of RockLiffe MailSite Express WebMail prior v6.1.22
=
=
= Public disclosure on October 28th, 2005
========================================================================

== Overview ==

During an audit of a client, Security-Assessment.com discovered multiple
critical vulnerabilities within the RockLiffe MailSite Express WebMail
software.

The vulnerabilities include the retrieval of arbitrary files from the
web server, and bypassing attachment validation routines allowing for
remote code execution.

== Exploitation ==

Exploit 1: Cross Site Scripting Vulnerabilities
------------------------------------------------------------------------

Recipients who save their login information locally are vulnerable to
account theft when viewing HTML encoded messages with embedded JavaScript.

When the option to save login information is selected the users password
is stored as plaintext within the cookie.

Crafting an email with scripting in the body will cause the execution of
the scripting in the context of the site, allowing for the theft of the
stored credentials.

A basic test for this is to include the following in the body of a message;
<script> alert(document.cookie) </script>

Exploit 2: Multiple Script Attachment Validation Flaws
------------------------------------------------------------------------

The WebMail software attempts to verify the validity of an attachment within
a received message. It automatically modifies the extension of any files
ending in .asp, by changing them to .asp.txt. This is an attempt to avoid
remote code execution through an attached file.

However, these validity checks can be defeated and script files saved to
the server.

By default, only files ending in .asp are identified and rejected as script
files. If a malicious user were to attach an .asa file instead, Web Mail
would accept the script attachment, saving the file locally with the
.asa extension.

When the .asa file is requested the script contents are executed in the same
manner as a .asp file. This flaw could also be affected by other extensions
such as .htr and .aspx.

A similar flaw exists when an attachment is sent with the filename
unknown.unk.

In this instance the message subject is used as the file name, and .asa
script files can be saved locally.

Exploit 3: Retrieve Arbitrary System Files via Web Mail
------------------------------------------------------------------------

The location of file attachments for a mail message currently been composed,
are stored as a physical file path included in the HTML as a hidden field.

An example of this is shown below;

<input type="hidden" name="AttachPath"
value="H:\Express3Webmail6.1.20\cache\5116FC5113B47C0B1CDD5\440820634>

This value points to the location where the attachments for the message are
stored, by default all files within this directory are considered
attachments for the message currently being composed.

This value can be manipulated and a message can be sent with arbitrary
'attachments'.

For example, posting the variable AttachPath = H:\Express3Webmail6.1.20\
would send the recipient a copy of the docroot.

== Solutions ==

Security-Assessment.com has been in contact with RockLiffe software and a
new version of the software has been released to address the discovered
vulnerabilities.

Security-Assessment.com urges RockLiffe users to upgrade to v6.1.22
by downloading the new version at
http://www.rockliffe.com/userroom/download.asp

== Credit ==

Discovered and advised to RockLiffe software July, 2005 by Paul Craig of
Security-Assessment.com

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.

 

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close