WebAdmin useredit_account.wdm Permits Cross-Site Scripting Attacks and Lets Remote Authenticated Users Access Other Accounts
SecurityTracker Alert ID: 1013038|
SecurityTracker URL: http://securitytracker.com/id/1013038
(Links to External Site)
Date: Jan 29 2005
Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): 3.0.2 and prior versions|
A vulnerability was reported in Alt-N's WebAdmin. A remote authenticated user can access a target user's account. A remote user can conduct cross-site scripting attacks.|
David A. Perez reported that the 'useredit_account.wdm' script does not properly validate user-supplied input in the 'user' parameter. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the site running the WebAdmin software and will run in the security context of that site. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
A demonstration exploit URL is provided:
A remote authenticated user can invoke the 'useredit_account.wdm' script to access a target user's account. A demonstration exploit URL is provided:
A remote user can create a specially crafted URL that, when loaded by a target user, will load arbitrary HTML in the context of the WebAdmin server. A demonstration exploit URL is provided:
The vendor was notified on December 14, 2004.
A remote user can access a target user's account.|
A remote user can cause arbitrary HTML to be displayed in the context of the target WebAdmin server.
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the WebAdmin software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor has released a fixed version (3.0.4), available at:|
Vendor URL: www.altn.com/products/default.asp?product%5Fid=WebAdmin (Links to External Site)
Access control error, Input validation error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.2|
WebAdmin is a web application to administer MDaemon and RelayFax. It
can be run on its own or as an ISAPI application under Microsoft
Internet Information Services (IIS). MDaemon is an e-mail server for
Microsoft Windows. RelayFax is a fax server also for Microsoft
Windows. Both applications have been developed by the same company
than WebAdmin, Alt-N Technologies, and is not included by default with
MDaemon, nor with RelayFax.
>From Alt-N Website:
WebAdmin allows administrators to securely manage MDaemon, RelayFax,
and WorldClient from anywhere in the world. This convenient remote
administration tool is FREE of charge and is a separate download from
The current version of WebAdmin is 3.0.4.
(1) Cross Site Scripting (XSS)
A Cross Site Scripting exists on the useredit_account.wdm file. Example:
(2) Users can edit all the user accounts
There is no validation on the useredit_account.wdm script to disable
access to other user accounts. Example:
(3) HTML Injection
The file modalfram.wdm allows to load any web page to make it look as
if comes from the WebAdmin server. Example:
- This vulnerabilities would not enable an attacker to gain any
privileges on an affected computer.
- An attacker will need to be able to logon to WebAdmin to take
advantage of vulnerability number 2, but he will only be able to view
or modify the settings that he can modify on his own account (for
example, if an user cannot modify his own "Name", he won't be able to
modify the name in any other account, but if he can modify his own
"Name", he will be able to modify the name in any other account).
Vendor notified on December 14, 2004.
Vendor replied on December 14, 2004.
Patch released on December 14, 2004.
_ _ _
| | __ __ _ _ __ ___ | |__ ___ _ __ (_) ___
| |/ / / _` || '_ ` _ \ | '_ \ / _ \ | '__|| | / _ \
| < | (_| || | | | | || |_) || (_) || | | || (_) |
|_|\_\ \__,_||_| |_| |_||_.__/ \___/ |_| |_| \___/