Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.2

from [David Alonso Pérez] Network Security [Permanent Link]
Subject: Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.2
Date: Fri, 28 Jan 2005 14:56:19 +0000 
WebAdmin is a web application to administer MDaemon and RelayFax. It
can be run on its own or as an ISAPI application under Microsoft
Internet Information Services (IIS). MDaemon is an e-mail server for
Microsoft Windows. RelayFax is a fax server also for Microsoft
Windows. Both applications have been developed by the same company
than WebAdmin, Alt-N Technologies, and is not included by default with
MDaemon, nor with RelayFax.


From Alt-N Website:


WebAdmin allows administrators to securely manage MDaemon, RelayFax,
and WorldClient from anywhere in the world. This convenient remote
administration tool is FREE of charge and is a separate download from
MDaemon.

The current version of WebAdmin is 3.0.4.

http://www.altn.com/products/default.asp?product%5Fid=WebAdmin


The Problems:

(1) Cross Site Scripting (XSS)
    ==========================

A Cross Site Scripting exists on the useredit_account.wdm file. Example:
http://server/WebAdmin/useredit_account.wdm?user=%3Cscript%3Ealert('test')%3C/script%3E



(2) Users can edit all the user accounts
    ====================================

There is no validation on the useredit_account.wdm script to disable
access to other user accounts. Example:
http://server/WebAdmin/useredit_account.wdm?user=otheruser@domain



(3) HTML Injection
    ==============

The file modalfram.wdm allows to load any web page to make it look as
if comes from the WebAdmin server. Example:
http://server/WebAdmin/modalframe.wdm?file=http://other_server/page.wdm



- This vulnerabilities would not enable an attacker to gain any
privileges on an affected computer.

- An attacker will need to be able to logon to WebAdmin to take
advantage of vulnerability number 2, but he will only be able to view
or modify the settings that he can modify on his own account (for
example, if an user cannot modify his own "Name", he won't be able to
modify the name in any other account, but if he can modify his own
"Name", he will be able to modify the name in any other account).



Vendor notified on December 14, 2004.
Vendor replied on December 14, 2004.
Patch released on December 14, 2004.



David A. Pérez                                        
                                                      
 _                       _                   _        
| | __  __ _  _ __ ___  | |__    ___   _ __ (_)  ___  
| |/ / / _` || '_ ` _ \ | '_ \  / _ \ | '__|| | / _ \ 
|   < | (_| || | | | | || |_) || (_) || |   | || (_) |
|_|\_\ \__,_||_| |_| |_||_.__/  \___/ |_|   |_| \___/ 
      El perdón es la venganza de los buenos (anónimo)


http://www.kamborio.com/?Section=Articles&Mode=select&ID=56
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.2, David Alonso Pérez <=
Previous by Date:  [Full-Disclosure] [ GLSA 200501-39 ] SquirrelMail: Multiple vulnerabilities, Sune Kloppenborg Jeppesen
Next by Date:  WebWasher Classic - HTTP CONNECT weakness, Oliver Karow
Previous by Thread:  [Full-Disclosure] [ GLSA 200501-39 ] SquirrelMail: Multiple vulnerabilities, Sune Kloppenborg Jeppesen
Next by Thread:  WebWasher Classic - HTTP CONNECT weakness, Oliver Karow
Indexes:  [Date] [Thread] [Top] [All Lists]