[SIG^2 G-TEC] Magic Winmail Server v4.0 Multiple Vulnerabilities
SIG^2 Vulnerability Research Advisory
Magic Winmail Server v4.0 Multiple Vulnerabilities
by Tan Chew Keong
Release Date: 27 Jan 2005
ADVISORY URL
http://www.security.org.sg/vuln/magicwinmail40.html
SUMMARY
Magic Winmail Server (http://www.magicwinmail.net/) is an enterprise class mail
server software system offering a robust feature set, including extensive
security measures. Winmail Server supports SMTP, POP3, IMAP, Webmail, LDAP,
multiple domains, SMTP authentication, spam protection, anti-virus protection,
SSL/TLS security, Network Storage, remote access, Web-based administration, and
a wide array of standard email options such as filtering, signatures, real-time
monitoring, archiving, and public email folders.
Multiple vulnerabilies were found in Magic Winmail Server's Webmail service,
IMAP service and FTP service. Winmail Server's PHP-based Webmail has
vulnerabilities that may be exploited to download arbitrary files from the
server, to upload files to arbitrary directories, and to conduct Cross-Site
Scripting (XSS) attacks. Directory traversal vulnerability in Winmail Server's
IMAP service gives the malicious user the ability to read arbitrary user's
emails, create/delete arbitrary directories on the server, and/or to retrieve
arbitrary files from the server. In addition, Winmail Server's FTP service does
not validate the IP address supplied in a PORT command. This may be exploited
to perform portscan from the FTP server.
TESTED SYSTEM
Magic Winmail Server Version 4.0 Build 1112 on English Win2K SP4 and WinXP SP2.
DETAILS
1. Webmail Vulnerabilities
a. download.php directory traversal allows arbitrary file download
The download.php script allows a user to download his/her email file
attachment. Lack of input parameter sanitization allows a logon mail user to
retrieve arbitrary files from the server by supplying specially crafted input
parameters to download.php.
b. upload.php directory traversal allows file upload to arbitrary directories
The upload.php scripts allows a mail user to upload his/her email file
attachment when composing an email. Lack of input sanitization of the supplied
filename allows a logon mail user to upload files to arbitrary location on the
server. This may be exploited to upload arbitrary PHP scripts into the webmail
directory. Successful exploitation on the default installation of Winmail
server will allow execution of arbitrary PHP scripts with LOCAL SYSTEM
privilege.
c. XSS vulnerability in Webmail Web Administration when displaying mail users'
personal info.
The /admin/user.php script allows the Webmail administrator to view webmail
users' username, fullname, description, and company name. A malicious user may
input javascript in his own personal info using userinfo.php. Due to lack of
filtering of HTML special characters, these javascript will execute on the
Webmail administrator's browser when the administrator accesses the
/admin/user.php script. These javascripts may be crafted to steal the
administrator's session cookie, etc.
2. IMAP Service Directory Traversal Vulnerability
Directory traversal vulnerability was found in several of Winmail Server's IMAP
commands. These vulnerable commands may be exploited by a malicious logon user
to read arbitrary user's emails, create/delete arbitrary directories on the
server, and/or to retrieve arbitrary files from the server. IMAP commands like
CREATE, EXAMINE, SELECT and DELETE are affected by this vulnerability.
3. FTP Service PORT Command Vulnerability
Winmail Server's FTP service does not validate the IP address supplied in a
PORT command. It is possible to issue the PORT command with an IP address that
is different from the logon user's IP address. This may be exploited to perform
portscan from the FTP server.
PATCH
Upgrade to version 4.0 (Build 1318).
DISCLOSURE TIMELINE
15 Jan 05 - Vulnerability Discovered.
16 Jan 05 - Initial Vendor Notification by Email and Web Form.
16 Jan 05 - Initial Vendor Reply.
27 Jan 05 - Received Email from Vendor that a Fixed Version was Released.
27 Jan 05 - Public Release
GREETINGS
All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html
"IT Security...the Gathering. By enthusiasts for enthusiasts."