what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

magicwinmail40.txt

magicwinmail40.txt
Posted Jan 28, 2005
Authored by Tan Chew Keong | Site security.org.sg

Multiple vulnerabilities were found in Magic Winmail's Webmail, IMAP, and FTP services. Arbitrary file upload/download, cross site scripting, and directory traversal flaws all exist, along with the ability to access other user's mail. It really IS magic.

tags | advisory, arbitrary, vulnerability, imap, xss, file upload
SHA-256 | 6cdd0f75b8a65fb62d8a4639fd3d414b32de01bbd3ab23bb7757fb4fa79da5d6

magicwinmail40.txt

Change Mirror Download


SIG^2 Vulnerability Research Advisory

Magic Winmail Server v4.0 Multiple Vulnerabilities

by Tan Chew Keong
Release Date: 27 Jan 2005


ADVISORY URL
http://www.security.org.sg/vuln/magicwinmail40.html


SUMMARY

Magic Winmail Server (http://www.magicwinmail.net/) is an enterprise class mail server software system offering a robust feature set, including extensive security measures. Winmail Server supports SMTP, POP3, IMAP, Webmail, LDAP, multiple domains, SMTP authentication, spam protection, anti-virus protection, SSL/TLS security, Network Storage, remote access, Web-based administration, and a wide array of standard email options such as filtering, signatures, real-time monitoring, archiving, and public email folders.

Multiple vulnerabilies were found in Magic Winmail Server's Webmail service, IMAP service and FTP service. Winmail Server's PHP-based Webmail has vulnerabilities that may be exploited to download arbitrary files from the server, to upload files to arbitrary directories, and to conduct Cross-Site Scripting (XSS) attacks. Directory traversal vulnerability in Winmail Server's IMAP service gives the malicious user the ability to read arbitrary user's emails, create/delete arbitrary directories on the server, and/or to retrieve arbitrary files from the server. In addition, Winmail Server's FTP service does not validate the IP address supplied in a PORT command. This may be exploited to perform portscan from the FTP server.


TESTED SYSTEM

Magic Winmail Server Version 4.0 Build 1112 on English Win2K SP4 and WinXP SP2.


DETAILS

1. Webmail Vulnerabilities

a. download.php directory traversal allows arbitrary file download

The download.php script allows a user to download his/her email file attachment. Lack of input parameter sanitization allows a logon mail user to retrieve arbitrary files from the server by supplying specially crafted input parameters to download.php.

b. upload.php directory traversal allows file upload to arbitrary directories

The upload.php scripts allows a mail user to upload his/her email file attachment when composing an email. Lack of input sanitization of the supplied filename allows a logon mail user to upload files to arbitrary location on the server. This may be exploited to upload arbitrary PHP scripts into the webmail directory. Successful exploitation on the default installation of Winmail server will allow execution of arbitrary PHP scripts with LOCAL SYSTEM privilege.

c. XSS vulnerability in Webmail Web Administration when displaying mail users' personal info.

The /admin/user.php script allows the Webmail administrator to view webmail users' username, fullname, description, and company name. A malicious user may input javascript in his own personal info using userinfo.php. Due to lack of filtering of HTML special characters, these javascript will execute on the Webmail administrator's browser when the administrator accesses the /admin/user.php script. These javascripts may be crafted to steal the administrator's session cookie, etc.


2. IMAP Service Directory Traversal Vulnerability

Directory traversal vulnerability was found in several of Winmail Server's IMAP commands. These vulnerable commands may be exploited by a malicious logon user to read arbitrary user's emails, create/delete arbitrary directories on the server, and/or to retrieve arbitrary files from the server. IMAP commands like CREATE, EXAMINE, SELECT and DELETE are affected by this vulnerability.


3. FTP Service PORT Command Vulnerability

Winmail Server's FTP service does not validate the IP address supplied in a PORT command. It is possible to issue the PORT command with an IP address that is different from the logon user's IP address. This may be exploited to perform portscan from the FTP server.


PATCH

Upgrade to version 4.0 (Build 1318).


DISCLOSURE TIMELINE

15 Jan 05 - Vulnerability Discovered.
16 Jan 05 - Initial Vendor Notification by Email and Web Form.
16 Jan 05 - Initial Vendor Reply.
27 Jan 05 - Received Email from Vendor that a Fixed Version was Released.
27 Jan 05 - Public Release


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    0 Files
  • 9
    Nov 9th
    0 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    0 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close