hola, Endymion´s (http://www.endymion.com) Sakemail and Mailman have a classic file-disclosre vulnerability (details attached). nice day, rC security@freefly.com rudicarell@hotmail.com http://www.websec.org _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.
Product: Mailman - Webmailsystem (http://www.endymion.com) Problem Description: due to missing input-validation it is possible to read files with the webservers (or mailmans) permissions a similar (pretty much the same) bug was discovered 2 years ago from "secureality" (http://www.securereality.com.au/)/(http://online.securityfocus.com/archive/1/149214). Example: a HTTP-request to: http://hostname/cgi-bin/mmstdo*.cgi with the following parameters: USERNAME= PASSWORD= ALTERNATE_TEMPLATES= [relative FILE/PATH] [Nullbyte/0x00] ... will lead to disclosure of [FILE/PATH] Summary: object: mmstdo*.cgi (Perl Script) class: Reffering to OWASP-IV (Input Validation Classes) Directory Traversal (IV-DT-1) http://www.owasp.org/projects/cov/owasp-iv-dt-1.htm Null Character (IV-NC-1) http://www.owasp.org/projects/cov/owasp-iv-nc-1.htm remote: yes local: --- severity: medium vendor: hast been informed [got a ticket# from some automated reply .. but nothing else] patch/fix: ??? recomannded fix: sanitize meta-characters from user-input security@freefly.com rudicarell@hotmail.com http://www.websec.org check out the Open Web Application Security project http://www.owasp.org
Product: SakeMail - Webmailsystem (http://www.endymion.com) Problem Description: due to missing input-validation it is possible to read xml/other files with sakemails permissions read THIS (javanullbyte.html) for additional infos on nullbytes and java-classes! Example: a HTTP-request to: http://hostname/com.endymion.sake.servlet.mail.MailServlet with the following parameters: cmd_help=1 param_name= [relative FILE/PATH] [Nullbyte/0x00] ... will lead to disclosure of [FILE/PATH] Remark: for some strange reason the used xml-parser for windows bahaves different. the unix-version let you read any file, while the windows version allows only "xml-style" files to be read. if the system authenticates agains mysql or mssql it is very likely to find database-usernames and passwords within general.ini or mail.ini config-files with sensitive information: mail.ini (db-usernames and passwords) generali.ini mssqlserver.sql mysql.sql Summary: vendor: Endymion (http://www.endymion.com) system: SakeMail (all versions) object: com.endymion.sake.servlet.mail.MailServlet(maybe others) class: Reffering to OWASP-IV (Input Validation Classes) Directory Traversal (IV-DT-1) Null Character (IV-NC-1) remote: yes local: --- severity: medium-high vendor: hast been informed ( got a ticket# from some automated replay .. but nothing else ) patch/fix: recomannded fix: sanitize meta-characters from user-input @2002 Martin Eiszner security@freefly.com http://www.websec.org
