RockLiffe MailSite Express WebMail Discloses WebMail Files to Remote Users and Permits Cross-Site Scripting Attacks
SecurityTracker Alert ID: 1015117|
SecurityTracker URL: http://securitytracker.com/id/1015117
(Links to External Site)
Date: Oct 28 2005
Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes |
Version(s): prior to 6.1.22|
A vulnerability was reported in RockLiffe MailSite Express WebMail. A remote authenticated user can obtain certain files on the target system. A remote user can conduct cross-site scripting attacks.|
A remote authenticated user can modify the 'AttachPath' hidden HTML parameter when composing a message to cause arbitrary files in the MailSite Express WebMail directory to be attached to the outgoing message.
A remote user can send an HTML-based e-mail message to conduct cross-site scripting attacks against the target user. If the target user has selected to save their login information locally, then the target user's password can be obtained via this type of attack, as the password is stored in plain text within a cookie.
The vendor was notified in July, 2005.
Paul Craig of Security-Assessment.com discovered this vulnerability.
The original advisory is available at:
A remote authenticated user can obtain certain files on the target system.|
A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site running the MailSite software, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
The vendor has issued a fixed version (6.1.22), available at:|
Vendor URL: www.rockliffe.com/products/express-webmail-server.asp (Links to External Site)
Access control error, Input validation error|
|Underlying OS: Windows (NT), Windows (2000)|
Source Message Contents
Subject: [Full-disclosure] Multiple vulnerabilities within RockLiffe|
= Multiple vulnerabilities within RockLiffe MailSite Express WebMail
= Also available online at
= Vendor Website:
= Affected Version:
= All versions of RockLiffe MailSite Express WebMail prior v6.1.22
= Public disclosure on October 28th, 2005
== Overview ==
During an audit of a client, Security-Assessment.com discovered multiple
critical vulnerabilities within the RockLiffe MailSite Express WebMail
The vulnerabilities include the retrieval of arbitrary files from the
web server, and bypassing attachment validation routines allowing for
remote code execution.
== Exploitation ==
Exploit 1: Cross Site Scripting Vulnerabilities
Recipients who save their login information locally are vulnerable to
When the option to save login information is selected the users password
is stored as plaintext within the cookie.
Crafting an email with scripting in the body will cause the execution of
the scripting in the context of the site, allowing for the theft of the
A basic test for this is to include the following in the body of a message;
<script> alert(document.cookie) </script>
Exploit 2: Multiple Script Attachment Validation Flaws
The WebMail software attempts to verify the validity of an attachment within
a received message. It automatically modifies the extension of any files
ending in .asp, by changing them to .asp.txt. This is an attempt to avoid
remote code execution through an attached file.
However, these validity checks can be defeated and script files saved to
By default, only files ending in .asp are identified and rejected as script
files. If a malicious user were to attach an .asa file instead, Web Mail
would accept the script attachment, saving the file locally with the
When the .asa file is requested the script contents are executed in the same
manner as a .asp file. This flaw could also be affected by other extensions
such as .htr and .aspx.
A similar flaw exists when an attachment is sent with the filename
In this instance the message subject is used as the file name, and .asa
script files can be saved locally.
Exploit 3: Retrieve Arbitrary System Files via Web Mail
The location of file attachments for a mail message currently been composed,
are stored as a physical file path included in the HTML as a hidden field.
An example of this is shown below;
<input type="hidden" name="AttachPath"
This value points to the location where the attachments for the message are
stored, by default all files within this directory are considered
attachments for the message currently being composed.
This value can be manipulated and a message can be sent with arbitrary
For example, posting the variable AttachPath = H:\Express3Webmail6.1.20\
would send the recipient a copy of the docroot.
== Solutions ==
Security-Assessment.com has been in contact with RockLiffe software and a
new version of the software has been released to address the discovered
Security-Assessment.com urges RockLiffe users to upgrade to v6.1.22
by downloading the new version at
== Credit ==
Discovered and advised to RockLiffe software July, 2005 by Paul Craig of
== About Security-Assessment.com ==
Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/