Winmail Server Bugs in 'chgpwd.php', 'domain.php', and 'user.php' Disclose Installation Path to Remote Users
|
|
SecurityTracker Alert ID: 1012485
|
|
SecurityTracker URL: http://securitytracker.com/id?1012485
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Dec 13 2004
|
Impact: Disclosure of system information
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: Global Security Solution IT (GSSIT)
|
Version(s): 4.0 (Build 1112)
|
Description: Ziv Kamir of Global Security Solution IT reported a vulnerability in Winmail Server. A remote user can determine the installation path.
It is reported that a remote user can access the 'chgpwd.php' script to cause the system to disclose the installation path. A demonstration
exploit URL is provided:
http://[target]:6080/admin/chgpwd.php
The 'domain.php' and 'user.php' scripts are also affected.
The
vendor was notified on November 25, 2004.
|
Impact: A remote user can determine the installation path.
|
Solution: The report indicates that you can edit the 'c:\windows\winmail_php.ini' file to make the following changes:
display_errors = On
to
display_errors = Off
|
Vendor URL: www.magicwinmail.net/ (Links to External Site)
|
Cause: Access control error, Exception handling error
|
Underlying OS: Windows (Any)
|
Reported By: GSS IT <gss_it@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 13 Dec 2004 00:41:00 -0800 (PST)
From: GSS IT <gss_it@yahoo.com>
Subject: WinMail ver 4 build(1112)
|
--0-1580320793-1102927260=:10921
Content-Type: text/plain; charset=us-ascii
Content-Id:
Content-Disposition: inline
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail
--0-1580320793-1102927260=:10921
Content-Type: text/plain; name="WinMail.txt"
Content-Description: WinMail.txt
Content-Disposition: inline; filename="WinMail.txt"
13/12/04
====================================
GSSIT - Global Security Solution IT
====================================
-------------------------------------------------------
Application: Winmail Server
Web Site: www.magicwinmail.net
Versions: 4.0 (Build 1112)
Platform: Windows
Credits:
########
#########################################
# == Ziv Kamir == #
# #
# GSSIT - Global Security Solution IT #
# #
# Web : www.gssit.co.il #
# #
# #
#########################################
---------------------
1) Introduction
2) Bug
3) The Code
4) Fix
===============
1) Introduction
===============
Winmail Server is an enterprise class mail server software system offering a robust
feature set, including extensive security measures. Winmail Server supports SMTP,
POP3, IMAP, Webmail, LDAP, multiple domains, SMTP authentication, spam protection,
anti-virus protection, SSL/TLS security, Network Storage, remote access, Web-based
administration, and a wide array of standard email options such as filtering,
signatures, real-time monitoring, archiving, and public email folders.
======
2) Bug
======
Discloses Installation Path to Remote Users.
===========
3) The Code
===========
http://127.0.0.1:6080/admin/chgpwd.php
Or [ domain.php | user.php ]
===========
4) The Fix
===========
Date of Vendor Notification:
25-11-04
Fix :
26-11-04
You can edit c:\windows\winmail_php.ini change :
display_errors = On
to
display_errors = Off
==============================================================================================
*** The Data is for educational purpose only. ***
The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including
direct, indirect, incidental, consequential, loss of business profits or special damages.
==============================================================================================
--0-1580320793-1102927260=:10921--
|
|
