Magic Winmail Server Input Validation Holes in Webmail and IMAP Services Allow Directory Traversal Attacks
SecurityTracker Alert ID: 1013017|
SecurityTracker URL: http://securitytracker.com/id/1013017
(Links to External Site)
Date: Jan 27 2005
Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 4.0 (Build 1112)|
Tan Chew Keong of SIG^2 reported several vulnerabilities in Magic Winmail Server. The webmail, IMAP, and FTP services are affected. A remote authenticated user can view and upload arbitrary files and create and delete arbitrary directories. A remote authenticated user can also conduct cross-site scripting attacks.|
A remote authenticated user can invoke the 'download.php' script with specially crafted parameters to obtain arbitrary files with the privileges of the web service. The script does not properly validate the user-supplied input.
A remote authenticated user can invoke the 'upload.php' script to upload files to arbitrary directories with the privileges of the web service. The script is normally used to upload e-mail attachments, but can be exploited to modify the user-supplied filename and cause the file to be placed in an alternate location because the script does not properly validate the user-supplied input. The user can upload arbitrary PHP scripts and cause the Magic Winmail server to execute them with Local System privileges.
The '/admin/user.php' Webmain administration script does not properly filter HTML code when viewing a webmail user's username, fullname, description, and company name. If a user has submitted specially crafted text via 'userinfo.php' and the administrator views this information, arbitrary scripting code will be executed by the target administrator's browser. The code will originate from the site running the Magic Winmail server software and will run in the security context of that site. As a result, the code will be able to access the target administrator's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.
A remote authenticated IMAP user can invoke certain IMAP commands to view arbitrary files on the target system (including the e-mail of other users) or to create or delete arbitrary directories on the target system. IMAP commands such as CREATE, EXAMINE, SELECT, and DELETE do not properly validate user-supplied input to prevent directory traversal attacks.
The FTP service does not validate the user-supplied IP address provided in an FTP PORT command. A remote authenticated user can issue a PORT command with an alternate IP address to cause the FTP server to attempt to connect to the specified port number on the specified IP address. This can be exploited to conduct port scans against IP addresses that the FTP server has connectivity to (possibly including hosts behind a firewall).
The vendor was notified on January 16, 2005.
The original advisory is available at:
A remote authenticated user can view arbitrary files on the target system and can create and delete arbitrary directories.|
A remote authenticated user can upload arbitrary files to the target system and then cause the server to execute them with Local System privileges.
A remote authenticated user can access the target administrator's cookies (including authentication cookies), if any, associated with the site running the Magic Winmail server software, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.
The vendor has released a fixed version (4.0 Build 1318), available at:|
Vendor URL: www.magicwinmail.net/ (Links to External Site)
Access control error, Input validation error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: [SIG^2 G-TEC] Magic Winmail Server v4.0 Multiple Vulnerabilities|
SIG^2 Vulnerability Research Advisory
Magic Winmail Server v4.0 Multiple Vulnerabilities
by Tan Chew Keong
Release Date: 27 Jan 2005
Magic Winmail Server (http://www.magicwinmail.net/) is an enterprise
class mail server software system offering a robust feature set,
including extensive security measures. Winmail Server supports SMTP,
POP3, IMAP, Webmail, LDAP, multiple domains, SMTP authentication, spam
protection, anti-virus protection, SSL/TLS security, Network Storage,
remote access, Web-based administration, and a wide array of standard
email options such as filtering, signatures, real-time monitoring,
archiving, and public email folders.
Multiple vulnerabilies were found in Magic Winmail Server's Webmail
service, IMAP service and FTP service. Winmail Server's PHP-based
Webmail has vulnerabilities that may be exploited to download arbitrary
files from the server, to upload files to arbitrary directories, and to
conduct Cross-Site Scripting (XSS) attacks. Directory traversal
vulnerability in Winmail Server's IMAP service gives the malicious user
the ability to read arbitrary user's emails, create/delete arbitrary
directories on the server, and/or to retrieve arbitrary files from the
server. In addition, Winmail Server's FTP service does not validate the
IP address supplied in a PORT command. This may be exploited to perform
portscan from the FTP server.
Magic Winmail Server Version 4.0 Build 1112 on English Win2K SP4 and
1. Webmail Vulnerabilities
a. download.php directory traversal allows arbitrary file download
The download.php script allows a user to download his/her email file
attachment. Lack of input parameter sanitization allows a logon mail
user to retrieve arbitrary files from the server by supplying specially
crafted input parameters to download.php.
b. upload.php directory traversal allows file upload to arbitrary
The upload.php scripts allows a mail user to upload his/her email file
attachment when composing an email. Lack of input sanitization of the
supplied filename allows a logon mail user to upload files to arbitrary
location on the server. This may be exploited to upload arbitrary PHP
scripts into the webmail directory. Successful exploitation on the
default installation of Winmail server will allow execution of arbitrary
PHP scripts with LOCAL SYSTEM privilege.
c. XSS vulnerability in Webmail Web Administration when displaying mail
users' personal info.
The /admin/user.php script allows the Webmail administrator to view
webmail users' username, fullname, description, and company name. A
userinfo.php. Due to lack of filtering of HTML special characters, these
be crafted to steal the administrator's session cookie, etc.
2. IMAP Service Directory Traversal Vulnerability
Directory traversal vulnerability was found in several of Winmail
Server's IMAP commands. These vulnerable commands may be exploited by a
malicious logon user to read arbitrary user's emails, create/delete
arbitrary directories on the server, and/or to retrieve arbitrary files
from the server. IMAP commands like CREATE, EXAMINE, SELECT and DELETE
are affected by this vulnerability.
3. FTP Service PORT Command Vulnerability
Winmail Server's FTP service does not validate the IP address supplied
in a PORT command. It is possible to issue the PORT command with an IP
address that is different from the logon user's IP address. This may be
exploited to perform portscan from the FTP server.
Upgrade to version 4.0 (Build 1318).
15 Jan 05 - Vulnerability Discovered.
16 Jan 05 - Initial Vendor Notification by Email and Web Form.
16 Jan 05 - Initial Vendor Reply.
27 Jan 05 - Received Email from Vendor that a Fixed Version was Released.
27 Jan 05 - Public Release
All guys at SIG^2 G-TEC Lab
"IT Security...the Gathering. By enthusiasts for enthusiasts."
Go to the Top of This SecurityTracker Archive Page