'Multiple Web Interface Security Holes'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Multiple Web Interface Security Holes
From:       Marc <Marc () EEYE ! COM>
Date:       1999-05-26 6:58:27
[Download RAW message or body]

Multiple Web Interface Security Holes

Systems Affected
CMail 2.3
FTGate 2,1,2,1
NTMail 4.20

Release Date
May 26, 1999

Advisory Code
AD05261999

Description:

The following holes were found while testing Retina against a few various
services that have web based interfaces. The holes are nothing amazing just
common amongst many web based interfaces. We are sure some other software
will be found with similar holes... if you come across some contact
info@eeye.com and let us know.

---> CMail

The default location of the web based interface for CMail is C:\Program
Files\Computalynx\CMail Server\pages\. It is a simple hole. For example if
we were to load http://[server]:8002/../spool/username/mail.txt in our web
browser we would be looking at the email for that user. Note: Mail.txt is
not the real mail file. There is one minor problem... reading of files is
not totally straight forward. It seems CMail has some mechanism of what it
will read or not. If you have a text file with no carriage returns in it
CMail will not read it. There also exists multiple buffer overflows within
the various SMTP and POP server functions of CMail. Yes they are
exploitable. >:-]

---> FTGate

Same as above basically. http://[server]:8080/../newuser.txt The only
difference is that FTGate doesn't seem to mind if the file has the carriage
returns or not.

---> NTMail

NTMail suffers from the same programming flaw...
http://[server]:8000/../../../../../boot.ini.

There is other server software out there that suffers from these common
holes. An average of 65% of the software we have tested thus far has had
problems with restricting the path that they allow. NTMail as well as the
other two can be run as a service, NTMail does it by default, therefore you
can read files as SYSTEM on most of them.

Fixes

Disable the web interfaces where applicable until the vendors release
patches.

Vendor Status

All vendors have been notified.

Copyright (c) 1999 eEye Digital Security Team
Permission is hereby granted for the redistribution of this alert
electronically. It is not to be edited in any way without express consent of
eEye. If you wish to reprint the whole or any part of this alert in any
other medium excluding electronic medium, please e-mail alert@eEye.com for
permission.

Disclaimer:

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.

Please send suggestions, updates, and comments to:

eEye Digital Security Team

info@eEye.com
http://www.eEye.com

([Retina, because a security scanner should do more then what it is told.])

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic