[24544] in bugtraq
Endymion SakeMail and MailMan File Disclosure Vulnerability
daemon@ATHENA.MIT.EDU (rudi carell)
Tue Mar 5 16:03:33 2002
From: "rudi carell" <rudicarell@hotmail.com>
To: BUGTRAQ@securityfocus.com
Date: Tue, 05 Mar 2002 17:47:38
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="----=_NextPart_000_39d8_2e06_4e0f"
Message-ID: <F193X6Mma0n7J95K7aI000155b1@hotmail.com>
------=_NextPart_000_39d8_2e06_4e0f
Content-Type: text/plain; format=flowed
hola,
Endymion´s (http://www.endymion.com) Sakemail and
Mailman have a classic file-disclosre vulnerability
(details attached).
nice day,
rC
security@freefly.com
rudicarell@hotmail.com
http://www.websec.org
_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
------=_NextPart_000_39d8_2e06_4e0f
Content-Type: text/plain; name="mailman.txt"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="mailman.txt"
Product:
Mailman - Webmailsystem (http://www.endymion.com)
Problem Description:
due to missing input-validation it is possible to read files with the
webservers (or mailmans) permissions
a similar (pretty much the same) bug was discovered 2 years ago from
"secureality"
(http://www.securereality.com.au/)/(http://online.securityfocus.com/archive/1/149214).
Example:
a HTTP-request to:
http://hostname/cgi-bin/mmstdo*.cgi
with the following parameters:
USERNAME=
PASSWORD=
ALTERNATE_TEMPLATES= [relative FILE/PATH] [Nullbyte/0x00]
... will lead to disclosure of [FILE/PATH]
Summary:
object: mmstdo*.cgi (Perl Script)
class: Reffering to OWASP-IV (Input Validation Classes)
Directory Traversal (IV-DT-1)
http://www.owasp.org/projects/cov/owasp-iv-dt-1.htm
Null Character (IV-NC-1) http://www.owasp.org/projects/cov/owasp-iv-nc-1.htm
remote: yes
local: ---
severity: medium
vendor: hast been informed [got a ticket# from some automated reply .. but
nothing else]
patch/fix: ???
recomannded fix: sanitize meta-characters from user-input
security@freefly.com
rudicarell@hotmail.com
http://www.websec.org
check out the Open Web Application Security project
http://www.owasp.org
------=_NextPart_000_39d8_2e06_4e0f
Content-Type: text/plain; name="sakemail.txt"; format=flowed
Content-Transfer-Encoding: 8bit
Content-Disposition: attachment; filename="sakemail.txt"
Product:
SakeMail - Webmailsystem (http://www.endymion.com)
Problem Description:
due to missing input-validation it is possible to read xml/other files with
sakemails permissions
read THIS (javanullbyte.html) for additional infos on nullbytes and
java-classes!
Example:
a HTTP-request to:
http://hostname/com.endymion.sake.servlet.mail.MailServlet
with the following parameters:
cmd_help=1
param_name= [relative FILE/PATH] [Nullbyte/0x00]
... will lead to disclosure of [FILE/PATH]
Remark:
for some strange reason the used xml-parser for windows bahaves different.
the unix-version let you read any file, while the windows version allows
only "xml-style" files to be read.
if the system authenticates agains mysql or mssql it is very likely to find
database-usernames and passwords within general.ini or mail.ini
config-files with sensitive information:
mail.ini (db-usernames and passwords)
generali.ini
mssqlserver.sql
mysql.sql
Summary:
vendor: Endymion (http://www.endymion.com)
system: SakeMail (all versions) object:
com.endymion.sake.servlet.mail.MailServlet(maybe others)
class: Reffering to OWASP-IV (Input Validation Classes)
Directory Traversal (IV-DT-1) Null Character (IV-NC-1)
remote: yes
local: ---
severity: medium-high
vendor: hast been informed ( got a ticket# from some automated replay .. but
nothing else )
patch/fix:
recomannded fix: sanitize meta-characters from user-input
@2002 Martin Eiszner
security@freefly.com
http://www.websec.org
------=_NextPart_000_39d8_2e06_4e0f--
