<<< Date Index >>>     <<< Thread Index >>>

[SIG^2 G-TEC] SurgeMail Webmail Attachment Upload and XSS Vulnerabilities




SIG^2 Vulnerability Research Advisory

SurgeMail Webmail Attachment Upload and XSS Vulnerabilities

by Tan Chew Keong
Release Date: 23 Mar 2005

ADVISORY URL
http://www.security.org.sg/vuln/surgemail22g3.html


SUMMARY

SurgeMail (http://netwinsite.com/surgemail/) is a next generation Mail Server - 
Combining features, performance and ease of use into a single integrated 
product. Ideal on Windows NT/2K, or UNIX (Linux, Solaris etc) and supports all 
the standard protocols IMAP, POP3, SMTP, SSL, ESMTP.

A vulnerability was found in SurgeMail's Webmail file attachment upload 
feature. This vulnerability may be exploited by a malicious Webmail user to 
upload files to certain locations on the server, obtain file listings of 
certain directories, and/or send certain files on the server to him/herself. 
Two XSS vulnerabilities were also found. 
 

TESTED SYSTEM

SurgeMail Version 2.2g3 Windows on English Win2K SP4.

 
DETAILS

This advisory document two Webmail vulnerabilities found in SurgeMail server. 
The first is a file attachment upload vulnerability. This vulnerability may be 
exploited by a malicious Webmail user to upload files to certain locations on 
the server, obtain file listings of certain directories, and/or send certain 
files on the server to him/herself. The second is a Cross-Site Scripting (XSS) 
vulnerability.

1. File Attachment Upload Vulnerability.
 
SurgeMail allows a logon user to attach files when composing a new email via 
the Webmail interface. Uploaded file attachments are temporarily stored in the 
c:\surgemail\web_work\u_xx\xxxx@hostname@127_0_0_1\attach\SomeRandomNumber\ 
directory. In particular, the value of SomeRandomNumber is part of this POST 
request (attach_id parameter) and is under the attacker's control. The server 
will create the directory "SomeRandomNumber" if it does not exist. By using 
directory traversal characters, it is possible to cause the uploaded files to 
be written to other directories.

2. Cross-Site Scripting (XSS) Vulnerabilities.

A user is allowed to configure an email auto-reply message using the Webmail 
interface. This auto-reply message consist of a message subject and a message 
header. It is possible to inject javascript in both these fields. If the 
Webmail administrator views this user's auto-reply message settings, the 
injected javascript will be executed on his browser. This may be exploited by a 
malicious user to steal the Webmail administrator's cookies or to redirect the 
administrator's browser to malicious websites.

Another XSS vulnerability occurs when webmail.exe is displaying an error 
message in response to an invalid value in the page parameter. The error 
message also reveals the installation path.


PATCH

Upgrade to the latest version of SurgeMail (Version 3.0c2 or later).

 
DISCLOSURE TIMELINE

18 Mar 05 - Vulnerability Discovered.
19 Mar 05 - Vulnerability Verification.
19 Mar 05 - Initial Vendor Notification.
22 Mar 05 - Vendor replied with fixed version.
23 Mar 05 - Public Release.
 

GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html 

"IT Security...the Gathering. By enthusiasts for enthusiasts."