SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   CMailServer Vendors:   YoungZSoft
CMailServer Buffer Overflow 'CMailCOM.dll' Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012324
SecurityTracker URL:  http://securitytracker.com/id/1012324
CVE Reference:   CVE-2004-1128, CVE-2004-1129, CVE-2004-1130   (Links to External Site)
Updated:  Dec 7 2004
Original Entry Date:  Nov 24 2004
Impact:   Execution of arbitrary code via network, Modification of user information, User access via network

Version(s): 5.2
Description:   Tan Chew Keong of SIG^2 reported several vulnerabilities in CMailServer. A remote user can execute arbitrary code on the target user's system. A remote authenticated user can inject SQL commands and conduct cross-site scripting attacks.

It is reported that there is a buffer overflow in CMailCOM.dll in the attachment download processing [CVE: CVE-2004-1128]. A remote user may be able to cause arbitrary code to be executed on the target user's system.

It is also reported that the software does not properly validate user-supplied input in certain scripts [CVE: CVE-2004-1129, CVE-2004-1130].

The 'admin.asp' script does not filter HTML code from user-supplied input when displaying a user's personal information. A remote user can cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the CMailServer software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

It is also reported that 'fdelmail.asp' allows a remote authenticated user to inject SQL commands to delete a target user's mail metadata.

It is also reported that 'addressc.asp' allows a remote authenticated user to inject SQL commands to delete a target user's address book contacts.

The vendor was notified on November 13, 2004.

The original advisory is available at:

http://www.security.org.sg/vuln/cmailserver52.html

Impact:   A remote user can execute arbitrary code on a target user's system.

A remote authenticated user can inject SQL commands to delete a target user's mail metadata or address book contacts.

A remote authenticated user can access the target user's cookies (including authentication cookies), if any, associated with the site running the CMailServer software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Solution:   The vendor has issued a fixed version (5.2.1).
Vendor URL:  www.youngzsoft.net/cmailserver/ (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  [SIG^2 G-TEC] CMailServer WebMail v5.2 Multiple Vulnerabilities


SIG^2 Vulnerability Research Advisory

CMailServer WebMail v5.2 Multiple Vulnerabilities

by Tan Chew Keong
Release Date: 24 Nov 2004


ADVISORY URL
http://www.security.org.sg/vuln/cmailserver52.html


SUMMARY

CMailServer (http://www.youngzsoft.net/cmailserver/) is a small and 
easy-to-use Mail Server software and Web Mail software. It enables you 
to send and receive emails across the Internet or within the LAN and has 
support for client email applications such as Outlook, Eudora etc. 
CMailServer supports Hotmail-like Web Mail service based on ASP scripts.

Multiple vulnerabilies were found in CMailServer's Web Mail service 
including buffer overflow, SQL Injection and Cross-Site Scripting (XSS).


TESTED SYSTEM

CMailServer Version 5.2 on English Win2K IIS 5.0.


DETAILS

CMailServer is a small and easy-to-use Mail Server software and Web Mail 
software. It enables you to send and receive emails across the Internet 
or within the LAN and has support for client email applications such as 
Outlook, Eudora etc. CMailServer supports Hotmail-like Web Mail service 
based on ASP scripts. Multiple vulnerabilies were found in CMailServer's 
Web Mail service including buffer overflow, SQL Injection and Cross-Site 
Scripting (XSS).


1. Buffer overflow in CMailCOM.dll's attachment download method may 
allow arbitrary code execution.

2. SQL Injection in fdelmail.asp allows deleting of other users' mail 
metadata.

3. SQL Injection in addressc.asp allows deleting of other users' email 
address contacts.

4. XSS vulnerability in admin.asp when displaying users' personal info.


PATCH

Update to the latest version of CMailServer v5.2.1.


DISCLOSURE TIMELINE

12 Nov 04 - Vulnerability Discovered.
13 Nov 04 - Initial Vendor Notification by Email and Web Form.
16 Nov 04 - Initial Vendor Reply.
21 Nov 04 - Vendor provided patched version for testing.
21 Nov 04 - Notified Vendor that a patch did not work.
21 Nov 04 - Vendor provided updated version for testing.
24 Nov 04 - Public Release


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC