From se_cur_ity@hotmail.com Thu Jun 3 22:43:05 2004 From: morning_wood X-Sender: se_cur_ity@hotmail.com X-Originating-IP: [4.65.228.218] To: full-disclosure@lists.netsys.com, 0day <0day@nothackers.org> Date: Thu, 3 Jun 2004 12:39:25 -0700 Subject: [Full-Disclosure] Surgemail - Multiple Vulnerabilities ------------------------------------------------------------ - EXPL-A-2004-002 exploitlabs.com Advisory 028 - ------------------------------------------------------------ - Surgemail - OVERVIEW ======== "SurgeMail is a next generation Mail Server - Combining features, performance and ease of use into a single integrated product. Ideal on Windows NT/2K, or Unix (Linux, Solaris etc) and supports all all the standard protocols IMAP, POP3, SMTP, SSL, ESMTP." Surgmail suffers from two basic remote vulnerabilities... 1. Information Disclosure, by providing a non existant filename, the STDERR is rendered to the user, disclosing physical directory structure. 2. XSS ( cross site scripting ) via the login form, and in particular the "username" field. This allows for credential theft via externaly hosted malicous script. This affects both HTTP and HTTPS access vectors. AFFECTED PRODUCTS ================= Surgemail ( Win32 and *nix through versions 1.9 ) WebMail v3.1d Copyright © NetWin Ltd http://netwinsite.com/index.html http://netwinsite.com/overviews.htm http://netwinsite.com/server/email_server_software.htm DETAILS ======= 1. Information Disclosure Surge mail's web based interface reveals physical directory structure by requesting a non-existant (404) request. http://x.x.x.x/[non-existant request] http://x.x.x.x:7080/scripts/ "Could not create process D:\surgemail/scripts/ Access Denied Is the url correct, check for a log file in the scripts directory and run the process in a shell window (D:\surgemail)" http://x.x.x.x:7080/scripts/err.txt "Could not create process D:\surgemail/scripts/err.txt File Not Found Is the url correct, check for a log file in the scripts directory and run the process in a shell window (D:\surgemail)" http://x.x.x.x/scripts/err.txt CGI did not respond correctly, it probably exited abnormally or the file may not exist or have +x access (/usr/local/surgemail/scripts) (err.txt) () 2. XSS ( cross site scripting ) The login form username field is vunerable to XSS ================ snip ======================== http://x.x.x.x:7080/ http://x.x.x.x:7080/ http://x.x.x.x:7080/ ================ snip ======================== SOLUTION ======== Vendor contacted May 16, 2003 support-surgemail@netwinsite.com Vendor acknowlegement recieved May 17, 2003 Vendor Patch / Version 2.0c released June 2, 2004 and may be obtained at ftp://ftp.netwinsite.com/pub/surgemail/beta http://www.netwinsite.com/surgemail/help/updates.htm PROOF OF CONCEPT ================ ( see DETAILS ) CREDITS ======= This vulnerability was discovered and researched by Donnie Werner of exploitlabs mail: morning_wood@exploitlabs.com -- web: http://exploitlabs.com web: http://zone-h.org ref: http://zone-h.org/en/advisories/read/id=4714/ ref: http://exploitlabs.com/files/advisories/EXPL-A-2004-002-surgmail.txt _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html