[SIG^2 G-TEC] 602LAN SUITE Web Mail Vulnerability Allows File Upload to Arbitrary Directories

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [SIG^2 G-TEC] 602LAN SUITE Web Mail Vulnerability Allows File Upload to Arbitrary Directories
From: <chewkeong@xxxxxxxxxxxxxxx>
Date: 8 Feb 2005 07:14:25 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm


SIG^2 Vulnerability Research Advisory

602LAN SUITE Web Mail Vulnerability Allows File Upload to Arbitrary Directories

by Tan Chew Keong
Release Date: 07 Feb 2005

ADVISORY URL
http://www.security.org.sg/vuln/602lansuite1221.html


SUMMARY

602LAN SUITE (http://www.software602.com/products/ls/) is a secure mail server 
with antivirus and anti-spam, built-in firewall with NAT and Web content filter 
proxy for controlled Internet sharing. The integrated Web server provides 
access to the Web Mail client, shared address book, remote administration and 
user home pages. SSL, ISAPI, CGI, and FastCGI support is available.

A directory traversal vulnerability was found in 602LAN SUITE's Web Mail file 
attachment upload feature that may be exploited to upload files to arbitrary 
locations on the server. A malicious mail user may upload an EXE file to the 
/cgi-bin directory of the server, and execute it by requesting the URL of the 
upload EXE file.

 
TESTED SYSTEM

602LAN SUITE Version 2004.0.04.1221 on English WinXP SP2, Win2K SP4.

 
DETAILS

602LAN SUITE's Web Mail allows a logon mail user to upload file attachments 
when composing an email. Lack of input sanitization of the supplied filename 
allows the user to upload files to arbitrary location on the server. This may 
be exploited by a malicious web mail user to upload EXE files to the /cgi-bin 
directory of the server. After uploading the EXE file to /cgi-bin, it is 
possible to execute that file by directly requesting it's URL (i.e. 
http://[hostname]/cgi-bin/test.exe). Successful exploitation will allow upload 
and execution of arbitrary code/EXE files on the server.


PATCH

Upgrade to 602LAN SUITE version 2004.0.05.0207.

 
DISCLOSURE TIMELINE

22 Jan 05 - Vulnerability Discovered.
22 Jan 05 - Initial Vendor Notification using online Bug Report Form.
24 Jan 05 - Second Vendor Notification using online Bug Report Form and Email.
26 Jan 05 - Initial Vendor Reply.
04 Feb 05 - Vendor provided beta version.
07 Feb 05 - Received Notification that Fixed Version was Released.
07 Feb 05 - Public Release


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html 

"IT Security...the Gathering. By enthusiasts for enthusiasts."

Prev by Date: EEYE: Windows SMB Client Transaction Response Handling Vulnerability
Next by Date: [SCL-2005.002] - IDN Feature Workaround via proxy.pac
Previous by thread: EEYE: Windows SMB Client Transaction Response Handling Vulnerability
Next by thread: [SCL-2005.002] - IDN Feature Workaround via proxy.pac
Index(es):
- Date
- Thread