Release Date: 09/04/2003 TITLE ===== Gordano Messaging Suite ? Multiple Vulnerabilities DESCRIPTION =========== ?Gordano Messaging Suite is the powerful messaging server running on Windows, Linux, Solaris and AIX. It is being used by over twenty four thousand customers, in more than ninety countries, covering all sectors (Airlines, Press, Government Agencies, Education, Industry, etc..)? Gordano Messaging Suite is being widely used by some major organizations such as Compaq, Xerox, NASA, Cisco System, AT&T, FedEx etc? More information at http://www.gordano.com PROBLEMS ========= Version : Gordano Messaging Suite version 9, build 3138 (latest build) Tested Platform : Windows 2000, Windows XP Professional, Linux(x86) Multiple vulnerabilities in Gordano Messaging Suite (GMS) result in DoS attack and information disclosure (usernames, login time, domains, etc?). DETAILS ======= [Vulnerability #1] Remote DoS x:\<Gordano Path>/bin/WWW.exe listens on the following ports to provide GMS Administration, WebMail Professional, WebMail Express, WebMail Mobile, Instant Messaging, and Web Server services to users: 80, 8000, 8025, 8081, 8888, 9000. When a user sending a request like this /../.. to GMS Web Server at port 80 will cause www.exe process terminated and all services that WWW.exe provides are shutdown immediately. ~$ telnet 192.168.1.69 Trying 192.168.1.69... Connected to 192.168.1.69 Escape character is '^]'. GET /../.. HTTP/1.0 Connection closed by foreign host. On Linux, the vulnerability doesn?t cause the /gordano/bin/WWW process terminated but it never times out and if an attacker opens up like 15-20 connections sending /../.. requests it will probably enough to keep GMS Server busy and deny providing services to other legitimate users. Restarting the service is needed in order to gain normal functionality. [Vulnerability #2] Information Disclosure [require valid user credential] Alertlist.mml provides information about users who have logged in to the GMS Server and discloses some useful information to the attackers such as usernames, domains, logged in time, etc?. and it?s supposed to be accessed by GMS Server's Administrator only but a normal WebMail user can also access to that script without the need of login as an admin. http://www.victim.com:8000/admin/reports/alertlist.mml VENDOR STATUS ============== Vendor has verified the issues and click on the following links to download the patch. Linux platform : ftp://ftp.gordano.com/gms/3138/hotfixes/h20030905/linux/www_h20030905.zip Windows platform : ftp://ftp.gordano.com/gms/3138/hotfixes/h20030905/windows/www_h20030905.zip Author: Phuong Nguyen __________________________________ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com
