SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   MailEnable Vendors:   MailEnable Pty. Ltd.
MailEnable Flaws Let Remote Users Write Files to Mailboxes and Remote Authenticated Users Gain Elevated Privileges
SecurityTracker Alert ID:  1016265
SecurityTracker URL:  http://securitytracker.com/id/1016265
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Updated:  Jan 2 2009
Original Entry Date:  Jun 11 2006
Impact:   Disclosure of authentication information, Modification of system information, Modification of user information, User access via network
Exploit Included:  Yes  
Version(s): Enterprise Edition 2.0; ASP and .NET versions
Description:   Soroush Dalili from GrayHatz Security Group (GSG) reported several vulnerabilities in MailEnable Enterprise Edition. A remote user can write files to a target user's mailbox. A remote authenticated user can gain elevated privileges. A local user can obtain a target user's password.

The 'ListAttachments' script stores the target user's password in plain text form in a hiddent HTML tag. This could expose the password to local user's on the target user's system. Both the ASP and .NET versions are affected.

The following vulnerabilities were reported to affect the ASP version.

A remote user can send a specially crafted HTTP POST request to 'main.asp' to gain administrative access to the target application. A 'postoffice' input tag with value of 'postmaster' must be sent.

A remote authenticated user can gain exploit a flaw in 'MailOptions.asp' to change their 'LoginRights' from 'USER' to either 'ADMIN' or 'SYSADMIN'. The account can also be disabled by changing the 'LoginRights' value to '0'.

A remote user can cause a message to be saved in the 'Drafts' folder of a target user because the 'Resolve.asp' script does not perform authentication.

A remote user can exploit 'UploadAttachment.asp' to create a file named 'myupload.ams' in the 'Drafts' folder of a target user on the target system. If the 'username' or 'postoffice' values are incorrect, the system will disclose the installation path.

A remote user can exploit 'uploadcontact.asp' to create a file named '_myupload.csv' in the 'Drafts' folder of a target user on the target system. If the 'username' or 'postoffice' values are incorrect, the system will disclose the installation path.

Impact:   A local user on a target user's system may be able to obtain the target user's password.

A remote user can gain administrative access to the target application.

A remote authenticated user can gain elevated privileges.

A remote user can cause messages to be saved in the 'Drafts' folder of a target user.

Solution:   No solution was available at the time of this entry.
Vendor URL:  www.mailenable.com/ (Links to External Site)
Cause:   Access control error, Authentication error
Underlying OS:  Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC