SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (E-mail Server)  >  SmarterMail Vendors:  SmarterTools Inc.
SmarterMail Lets Remote Users Upload Arbitrary Scripting Code and Execute Them
SecurityTracker Alert ID:  1013021
SecurityTracker URL:  http://securitytracker.com/id?1013021
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 28 2005
Impact:  Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Exploit Included:  Yes   Vendor Confirmed:  Yes  
Version(s): prior to 2.0.1837
Description:  Soroush Dalili from Grayhatz Security Group (GSG) reported a vulnerability in SmarterMail. A remote user can execute arbitrary scripting code on the target system.

A remote authenticated user can upload certain scripting files and execute them on the target server. An ASP script can be uploaded by creating an e-mail message and attaching the scripting file. Before the mail has been sent, the user can load the following type of URL to cause the attached script to be executed by the web server:

[SmarterMail Url]\MRS\MailProcessing\[UserID]\[Filename.extension]

The vendor was notified on January 7, 2005.
Impact:  A remote user can execute arbitrary scripting code on the target system with the privileges of the webmail service.
Solution:  The vendor has issued a fixed version (2.0.1837), available at:

http://www.smartertools.com/Products/SmarterMail/DL/V2.aspx
Vendor URL:  www.smartertools.com/Products/SmarterMail/Overview.aspx (Links to External Site)
Cause:  Access control error
Underlying OS:  Windows (2000), Windows (2003), Windows (XP)
Reported By:  "Soroosh Dalili" <s-dalili@cc.sbu.ac.ir>
Message History:   None.

 Source Message Contents
Date:  Tue, 25 Jan 2005 05:51:53 +0330
From:  "Soroosh Dalili" <s-dalili@cc.sbu.ac.ir>
Subject:  A user can upload and run some files (like asp) on a smartermail server.

 
 
Hi, I'm Soroush Dalili from Grayhatz security group (GSG).
I found an important bug in smartermails and report them in: Fri, 7
Jan 2005
they updated their program and fixed its bug, so I write it now for
all.
----------------------------------------------------------------
SmarterMail is a web-base mail program, was built from the start with
hosting companies and ISPs in mind from www.smartertools.com
 
A user with any permission can attach some asp or else execution
extension (except aspx) and then run it in smartermail server!
an attacker can also attach some dangerous page like browser or more
to mail server and then execute them on there. that's very dangerous
because attacker can also download server's critical files like files
that having some passwords!
 
user can run it like below line:
[SmarterMail Url]\MRS\MailProcessing\[UserID]\[Filename.extension]
just attach a file and don't close mail composer and run it from
before address!
It work under all version except last one!
------------------------------------------------------------------
Vendor URL: www.smartertools.com
Solution: Download updated program
------------------------------------------------------------------
 
Name: Soroush Dalili
Site: Grayhatz.com
Email: S-dalili@sbu.ac.ir , Irsdl@yahoo.com


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2005, SecurityGlobal.net LLC