SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   ArGoSoft Mail Server Vendors:   ArGo Software Design
ArGoSoft Mail Server Input Validation Holes Allow Remote Authenticated Users to Upload/Download Files and Create/Delete Directories
SecurityTracker Alert ID:  1013135
SecurityTracker URL:  http://securitytracker.com/id/1013135
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Feb 9 2005
Impact:   Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.8.7.4
Description:   Tan Chew Keong of SIG^2 Vulnerability Research reported several vulnerabilities in ArGoSoft Mail Server. A remote authenticated user can upload files to arbitrary locations, download arbitrary files (including other users' email), and create or delete arbitrary directories on the target system.

The webmail software does not properly validate user-supplied filenames for e-mail attachments. A remote authenticated user can specify a specially crafted filename to upload a file to an arbitrary location on the target system. This can be exploited, for example, to overwrite a target user's 'userdata.rec' password file.

A remote authenticated user can upload a specially crafted '_msgatt.rec' file containing directory traversal characters to cause the server to send arbitrary files on the server to the target user as an attachment. This can be exploited, for example, to obtain a target user's password file.

The '/msg' and '/delete' 'Folder' parameter is not properly validated. A remote authenticated user can view or delete a target user's e-mail by supplying directory traversal characters and a correct UIDL.

The '/folderadd' and '/folderdelete' 'Folder' parameter is not properly validated. A remote authenticated user can supply directory traversal characters in the parameter to create or delete arbitrary directories on the target system.

The vendor was notified on February 8, 2004.

The original advisory is available at:

http://www.security.org.sg/vuln/argosoftmail1873.html

Impact:   A remote authenticated user can upload files to arbitrary locations on the target system.

A remote authenticated user can download arbitrary files (including other users' email).

A remote authenticated user can create or delete arbitrary directories on the target system.

Solution:   The vendor has issued a fixed version (1.8.7.4), available at:

http://www.argosoft.com/mailserver/download.aspx

Vendor URL:  www.argosoft.com/mailserver/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [SIG^2 G-TEC] ArGoSoft Mail Server Webmail Multiple Directory Traversal


SIG^2 Vulnerability Research Advisory

ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilities

by Tan Chew Keong
Release Date: 09 Feb 2005

ADVISORY URL
http://www.security.org.sg/vuln/argosoftmail1873.html


SUMMARY

ArGoSoft Mail Server (http://www.argosoft.com/mailserver/) is a fully 
functional SMTP/POP3/Finger (Pro version also has IMAP module) server 
for Windows 95/98/NT/2000, which will let you turn your computer into 
the email system. It's very compact, takes about 1-5 Mb of disk space 
(depending on the version), does not have any specific memory 
requirements, and what is the most important - it's very easy to use.

Multiple directory traversal vulnerabilities were found in ArGoSoft Mail 
Server's Webmail that may be exploited by a logon mail user to upload 
files to arbitrary directories on the server, retrieve arbitrary files 
from the server, access other users' emails, and create/delete arbitrary 
directories on the server.


TESTED SYSTEM

ArGoSoft Mail Server Version 1.8.7.3 on English WinXP SP2, Win2K SP4.


DETAILS

This advisory documents 4 directory traversal vulnerabilities in 
ArGoSoft Mail Server's Webmail. Exploitation of these vulnerabilites 
requires a valid logon account on the Webmail.


a. Directory traversal in email attachment filename allows file upload 
to arbitrary directories

ArGoSoft Mail Server's Webmail allows a logon mail user to upload file 
attachments when composing an email. Lack of input sanitization of the 
supplied filename allows the user to upload files to arbitrary locations 
on the server. This may be exploited by a malicious mail user to upload 
and replace other users' password file (userdata.rec) with a copy that 
has known password, thus allowing him/her to logon as other users.


b. Directory traversal in _msgatt.rec allows any arbitrary files on the 
server to be sent as attachment

By uploading a specially crafted _msgatt.rec file containing directory 
traversal characters, it is possible to cause the server to send any 
arbitrary files on the server as attachment to the user. A malicious 
user may exploit this vulnerability to email other user's password file 
(userdata.rec) to himself.


c. Directory traversal in /msg and /delete "Folder" parameter allows 
reading/deleting of other user's emails

The /msg and /delete link allows the Webmail user to view/delete his/her 
emails.  It is possible to view/delete other user's email by using 
directory traversal characters in the "Folder" parameter and specifying 
a correct UIDL.


d. Directory traversal in /folderadd and /folderdelete "Folder" 
parameter allows creating/deleting arbitrary directories on the server

The /folderadd and /folderdelete links allows the Webmail user to 
create/delete mail folders. It is possible to use directory traversal 
characters in the Folder parameter to create/delete directories in 
arbitrary locations on the server. A malicious user may exploit this 
vulnerability to delete other users' entire mail directories, which is 
effectively the same as removing the users from the system.


PATCH

Upgrade to version v1.8.7.4.


DISCLOSURE TIMELINE

06 Feb 05 - Vulnerability Discovered.
08 Feb 05 - Initial Vendor Notification.
08 Feb 05 - Received Notification from Vendor that Fixed Version was 
Released.
09 Feb 05 - Public Release.


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC