SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Sake Mail Vendors:   Endymion Corporation
Endymion's Sake Mail Web Mail Java Servet Lets Remote Users View Files on the Server
SecurityTracker Alert ID:  1003748
SecurityTracker URL:  http://securitytracker.com/id/1003748
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Mar 5 2002
Impact:   Disclosure of system information, Disclosure of user information
Exploit Included:  Yes  

Description:   An input validation flaw was reported in Endymion's Sake Mail web-based mail Java servet. A remote user can view files on the system.

It is reported that a remote user can supply an HTTP request to the server with a relative path ending with a null byte to view the relative path contents.

The vendor has reportedly been notified.

Impact:   A remote user can view files located anywhere on the system that are accessible to the Sake Mail servlet.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.endymion.com/products/sake/mail/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  Java-based

Message History:   None.


 Source Message Contents

Subject:  Endymion SakeMail and MailMan File Disclosure Vulnerability


------=_NextPart_000_39d8_2e06_4e0f
Content-Type: text/plain; format=flowed



hola,

Mailman have a classic file-disclosre vulnerability
(details attached).


nice day,

rC














security@freefly.com
rudicarell@hotmail.com

http://www.websec.org





_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

------=_NextPart_000_39d8_2e06_4e0f
Content-Type: text/plain; name="mailman.txt"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="mailman.txt"

Product:

Mailman - Webmailsystem (http://www.endymion.com)

Problem Description:

due to missing input-validation it is possible to read files with the 
webservers (or mailmans) permissions
a similar (pretty much the same) bug was discovered 2 years ago from 
"secureality" 
(http://www.securereality.com.au/)/(http://online.securityfocus.com/archive/1/149214).


Example:

a HTTP-request to:
http://hostname/cgi-bin/mmstdo*.cgi
with the following parameters:
USERNAME=
PASSWORD=
ALTERNATE_TEMPLATES= [relative FILE/PATH] [Nullbyte/0x00]

... will lead to disclosure of [FILE/PATH]




Summary:

object: mmstdo*.cgi (Perl Script)

class: Reffering to OWASP-IV (Input Validation Classes)

Directory Traversal (IV-DT-1) 
http://www.owasp.org/projects/cov/owasp-iv-dt-1.htm
Null Character (IV-NC-1) http://www.owasp.org/projects/cov/owasp-iv-nc-1.htm

remote: yes
local: ---
severity: medium

vendor: hast been informed [got a ticket# from some automated reply .. but 
nothing else]
patch/fix: ???
recomannded fix: sanitize meta-characters from user-input




security@freefly.com
rudicarell@hotmail.com
http://www.websec.org

check out the Open Web Application Security project
http://www.owasp.org

------=_NextPart_000_39d8_2e06_4e0f
Content-Type: text/plain; name="sakemail.txt"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="sakemail.txt"

Product:

SakeMail - Webmailsystem (http://www.endymion.com)

Problem Description:

due to missing input-validation it is possible to read xml/other files with 
sakemails permissions
read THIS (javanullbyte.html) for additional infos on nullbytes and 
java-classes!

Example:

a HTTP-request to:
http://hostname/com.endymion.sake.servlet.mail.MailServlet
with the following parameters:

cmd_help=1
param_name= [relative FILE/PATH] [Nullbyte/0x00]


... will lead to disclosure of [FILE/PATH]


Remark:
for some strange reason the used xml-parser for windows bahaves different. 
the unix-version let you read any file, while the windows version allows 
only "xml-style" files to be read.

if the system authenticates agains mysql or mssql it is very likely to find 
database-usernames and passwords within general.ini or mail.ini

config-files with sensitive information:

mail.ini (db-usernames and passwords)
generali.ini
mssqlserver.sql
mysql.sql


Summary:

vendor: Endymion (http://www.endymion.com)
system: SakeMail (all versions) object: 
com.endymion.sake.servlet.mail.MailServlet(maybe others)

class: Reffering to OWASP-IV (Input Validation Classes)

Directory Traversal (IV-DT-1) Null Character (IV-NC-1)
remote: yes
local: ---
severity: medium-high

vendor: hast been informed ( got a ticket# from some automated replay .. but 
nothing else )
patch/fix:
recomannded fix: sanitize meta-characters from user-input




@2002 Martin Eiszner
security@freefly.com
http://www.websec.org

------=_NextPart_000_39d8_2e06_4e0f--

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC