SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Magic WinMail Server Vendors:   AMAX Information Technologies Inc.
Magic Winmail Server Input Validation Holes in Webmail and IMAP Services Allow Directory Traversal Attacks
SecurityTracker Alert ID:  1013017
SecurityTracker URL:  http://securitytracker.com/id/1013017
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 27 2005
Impact:   Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.0 (Build 1112)
Description:   Tan Chew Keong of SIG^2 reported several vulnerabilities in Magic Winmail Server. The webmail, IMAP, and FTP services are affected. A remote authenticated user can view and upload arbitrary files and create and delete arbitrary directories. A remote authenticated user can also conduct cross-site scripting attacks.

A remote authenticated user can invoke the 'download.php' script with specially crafted parameters to obtain arbitrary files with the privileges of the web service. The script does not properly validate the user-supplied input.

A remote authenticated user can invoke the 'upload.php' script to upload files to arbitrary directories with the privileges of the web service. The script is normally used to upload e-mail attachments, but can be exploited to modify the user-supplied filename and cause the file to be placed in an alternate location because the script does not properly validate the user-supplied input. The user can upload arbitrary PHP scripts and cause the Magic Winmail server to execute them with Local System privileges.

The '/admin/user.php' Webmain administration script does not properly filter HTML code when viewing a webmail user's username, fullname, description, and company name. If a user has submitted specially crafted text via 'userinfo.php' and the administrator views this information, arbitrary scripting code will be executed by the target administrator's browser. The code will originate from the site running the Magic Winmail server software and will run in the security context of that site. As a result, the code will be able to access the target administrator's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.

A remote authenticated IMAP user can invoke certain IMAP commands to view arbitrary files on the target system (including the e-mail of other users) or to create or delete arbitrary directories on the target system. IMAP commands such as CREATE, EXAMINE, SELECT, and DELETE do not properly validate user-supplied input to prevent directory traversal attacks.

The FTP service does not validate the user-supplied IP address provided in an FTP PORT command. A remote authenticated user can issue a PORT command with an alternate IP address to cause the FTP server to attempt to connect to the specified port number on the specified IP address. This can be exploited to conduct port scans against IP addresses that the FTP server has connectivity to (possibly including hosts behind a firewall).

The vendor was notified on January 16, 2005.

The original advisory is available at:

http://www.security.org.sg/vuln/magicwinmail40.html

Impact:   A remote authenticated user can view arbitrary files on the target system and can create and delete arbitrary directories.

A remote authenticated user can upload arbitrary files to the target system and then cause the server to execute them with Local System privileges.

A remote authenticated user can access the target administrator's cookies (including authentication cookies), if any, associated with the site running the Magic Winmail server software, access data recently submitted by the target administrator via web form to the site, or take actions on the site acting as the target administrator.

Solution:   The vendor has released a fixed version (4.0 Build 1318), available at:

http://www.magicwinmail.net/download.asp

Vendor URL:  www.magicwinmail.net/ (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [SIG^2 G-TEC] Magic Winmail Server v4.0 Multiple Vulnerabilities


SIG^2 Vulnerability Research Advisory

Magic Winmail Server v4.0 Multiple Vulnerabilities

by Tan Chew Keong
Release Date: 27 Jan 2005


ADVISORY URL
http://www.security.org.sg/vuln/magicwinmail40.html


SUMMARY

Magic Winmail Server (http://www.magicwinmail.net/) is an enterprise 
class mail server software system offering a robust feature set, 
including extensive security measures. Winmail Server supports SMTP, 
POP3, IMAP, Webmail, LDAP, multiple domains, SMTP authentication, spam 
protection, anti-virus protection, SSL/TLS security, Network Storage, 
remote access, Web-based administration, and a wide array of standard 
email options such as filtering, signatures, real-time monitoring, 
archiving, and public email folders.

Multiple vulnerabilies were found in Magic Winmail Server's Webmail 
service, IMAP service and FTP service. Winmail Server's PHP-based 
Webmail has vulnerabilities that may be exploited to download arbitrary 
files from the server, to upload files to arbitrary directories, and to 
conduct Cross-Site Scripting (XSS) attacks. Directory traversal 
vulnerability in Winmail Server's IMAP service gives the malicious user 
the ability to read arbitrary user's emails, create/delete arbitrary 
directories on the server, and/or to retrieve arbitrary files from the 
server. In addition, Winmail Server's FTP service does not validate the 
IP address supplied in a PORT command. This may be exploited to perform 
portscan from the FTP server.


TESTED SYSTEM

Magic Winmail Server Version 4.0 Build 1112 on English Win2K SP4 and 
WinXP SP2.


DETAILS

1. Webmail Vulnerabilities

a. download.php directory traversal allows arbitrary file download

The download.php script allows a user to download his/her email file 
attachment. Lack of input parameter sanitization allows a logon mail 
user to retrieve arbitrary files from the server by supplying specially 
crafted input parameters to download.php.

b. upload.php directory traversal allows file upload to arbitrary 
directories

The upload.php scripts allows a mail user to upload his/her email file 
attachment when composing an email. Lack of input sanitization of the 
supplied filename allows a logon mail user to upload files to arbitrary 
location on the server. This may be exploited to upload arbitrary PHP 
scripts into the webmail directory. Successful exploitation on the 
default installation of Winmail server will allow execution of arbitrary 
PHP scripts with LOCAL SYSTEM privilege.

c. XSS vulnerability in Webmail Web Administration when displaying mail 
users' personal info.

The /admin/user.php script allows the Webmail administrator to view 
webmail users' username, fullname, description, and company name. A 
malicious user may input javascript in his own personal info using 
userinfo.php. Due to lack of filtering of HTML special characters, these 
javascript will execute on the Webmail administrator's browser when the 
administrator accesses the /admin/user.php script. These javascripts may 
be crafted to steal the administrator's session cookie, etc.


2. IMAP Service Directory Traversal Vulnerability

Directory traversal vulnerability was found in several of Winmail 
Server's IMAP commands. These vulnerable commands may be exploited by a 
malicious logon user to read arbitrary user's emails, create/delete 
arbitrary directories on the server, and/or to retrieve arbitrary files 
from the server. IMAP commands like CREATE, EXAMINE, SELECT and DELETE 
are affected by this vulnerability.


3. FTP Service PORT Command Vulnerability

Winmail Server's FTP service does not validate the IP address supplied 
in a PORT command. It is possible to issue the PORT command with an IP 
address that is different from the logon user's IP address. This may be 
exploited to perform portscan from the FTP server.


PATCH

Upgrade to version 4.0 (Build 1318).


DISCLOSURE TIMELINE

15 Jan 05 - Vulnerability Discovered.
16 Jan 05 - Initial Vendor Notification by Email and Web Form.
16 Jan 05 - Initial Vendor Reply.
27 Jan 05 - Received Email from Vendor that a Fixed Version was Released.
27 Jan 05 - Public Release


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC