SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   1st Class Mail Server Vendors:   1st Class Internet Solutions
1st Class Mail Server Input Validation Holes Disclose Files to Remote Users and Permit Cross-Site Scripting Attacks
SecurityTracker Alert ID:  1009705
SecurityTracker URL:  http://securitytracker.com/id/1009705
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 8 2004
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Exploit Included:  Yes  
Version(s): 4.01
Description:   Some input validation vulnerabilities were reported in the 1st Class Mail Server. A remote user can view files on the system. A remote user can also conduct cross-site scripting attacks.

Dr_insane reported that the webmail interface does not properly validate user-supplied input. A remote user can reportedly use '../' directory traversal characters to view files on the target system with the privileges of the web service.

A remote user can also create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the mail server software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Some demonstration exploit URLs are provided:

http://[host]/AUTH=[some_value]/user/viewmail.tagz?Site=www.hack.gr&Mailbox=3&MessageIndex=[html_code]>
http://[host]/AUTH=[some_value]/user/?Site=www.hack.gr&Mailbox=[html_code]
http://[host]/AUTH=[some_value]/user/members.tagz?Site=www.hack.gr&Mailbox=[html_code]
http://[host]/AUTH=[some_value]/user/general.tagz?Site=www.hack.gr&Mailbox=[html_code]
http://[host]/AUTH=[some_value]/user/advanced.tagz?Site=www.hack.gr&Mailbox=<[html_code]>
http://[host]/AUTH=[some_value]/user/list.tagz?Site=www.hack.gr&Mailbox=[html_code]

The original advisory is available at:

http://members.lycos.co.uk/r34ct/main/1st%20Class%20mail%20server%204.01.txt

Impact:   A remote user can view files on the target system with the privileges of the web service.

A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the mail server software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.1cis.com/articles/1cms20pr.asp (Links to External Site)
Cause:   Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  http://members.lycos.co.uk/r34ct/main/1st%20Class%20mail%20server%204.01.txt


http://members.lycos.co.uk/r34ct/main/1st%20Class%20mail%20server%204.01.txt

1st Class mail server 4.01 Directory Traversal and XSS vulnerabilities

Release Date:
April 8, 2004

Severity:
Medium

Vendor:
www.1cis.com

Systems Affected:
Microsoft Windows NT 4.0 (all versions)
Microsoft Windows 2000 (SP3 and earlier)
Microsoft Windows XP (all versions)
Microsoft Windows 9x

Services Affected:
Webmail service (80)


Details:
The 1st Class Mail Server is a small, scalable SMTP, POP3 and Web Mail server designed for 
small businesses and
individuals. Its simple design, ease of use, and low cost make the 1st Class Mail Server a 
cost effective product
that fits all your needs.
A vulnerability has been discovered on 1st class mail server that allow a malicious user 
to read arbitary files on
a system using "../"The vulnerability is caused due to an input validation error.

Second, some XSS attacks have been identified:
http://[host]/AUTH=[some_value]/user/viewmail.tagz?Site=www.hack.gr&Mailbox=3&MessageIndex=[html_code]>
http://[host]/AUTH=[some_value]/user/?Site=www.hack.gr&Mailbox=[html_code]
http://[host]/AUTH=[some_value]/user/members.tagz?Site=www.hack.gr&Mailbox=[html_code]
http://[host]/AUTH=[some_value]/user/general.tagz?Site=www.hack.gr&Mailbox=[html_code]
http://[host]/AUTH=[some_value]/user/advanced.tagz?Site=www.hack.gr&Mailbox=<[html_code]>
http://[host]/AUTH=[some_value]/user/list.tagz?Site=www.hack.gr&Mailbox=[html_code]

Credit:
Dr_insane
Http://members.lycos.co.uk/r34ct/


Feedback
Please send your comments to: dr_insane@pathfinder.gr


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC