Multiple vulnerabilities in Argosoft Mail Server 1.8.7.6
ShineShadow Security Report 22042005-04
TITLE: Multiple vulnerabilities in Argosoft Mail Server Pro 1.8.7.6.
BACKGROUND
ArGoSoft Mail Server is fully functional SMTP/POP3/Finger (Pro version also has
IMAP module) server for Windows 95/98/NT/2000, which will let you turn your
computer into the email system. It's very compact, takes about 1-5 Mb of disk
space (depending on the version), does not have any specific memory
requirements, and what is the most important - it's very easy to use.
Source: www.argosoft.com
VULNERABLE PRODUCTS
Argosoft Mail Server Pro 1.8.7.6 (maybe other)
DETAILS
1. Multiple cross-site scripting (XSS) vulnerabilities.
Description:
Remote user can execute cross-site scripting (XSS) attack. It possible because
some HTML tags in email messages are not filtered (for example, ?src? parameter
in IMG tag). An attacker can send to the victim special crafted email message.
If victim will view this message using web interface then attackers Java code
will be executed in web browser of the victim. Also many XSS vulnerabilities
exists in input boxes of webmail pages (for example, User settings,Address book
and other).
2. Copying or moving files with arbitrary content and .eml extension to
arbitrary locations on the server.
Vulnerable script: delete
Description:
Remote user, who has account on Argosoft Mail Server, can copy or move own .eml
files with arbitrary content (which, for example, could be uploading as
attachment) to arbitrary locations on the server. This is directory traversal
vulnerability. The new name of moving/copying .eml file will be
random-generated by script.
3. Deleting own account on the mail server.
Vulnerable script: folderdelete
Description:
Remote user, who has account on Argosoft Mail Server, can delete his home
directory and account on the mail server. This is input validation error in
?Folder? parameter.
4. Creating arbitrary user accounts on mail server.
Vulnerable script: addnew
Description:
Remote user can create user account on mail server even if option ?Allow
Creation of Accounts From the Web Interface? has been disabled. It possible,
because script does not require authentication. An attacker can send POST query
to vulnerable script to create valid user account on remote mail server. After
that it possible to use other vulnerabilities described in this report to get
full control of Argosoft Mail Server or remote system.
5. Viewing arbitrary files on mail server.
Vulnerable script: msg
Description:
Remote user, who has account on Argosoft Mail Server, can view arbitrary files
on mail server. This is directory traversal vulnerability in ?UIDL? parameter.
An attacker can view messages of other users, configuration files or other text
files on remote mail server.
6. Unfixed critical vulnerabilities.
Description:
Argosoft Mail Server 1.8.7.6 has unfixed known critical vulnerabilities. SIG^2
(www.security.org.sg) discovered some directory traversal vulnerabilities in
Argosoft Mail Server 1.8.7.3
(http://www.security.org.sg/vuln/argosoftmail1873.html). The following
vulnerabilities are NOT been fixed by vendor and exists in the last version of
the product (Argosoft Mail Server 1.8.7.6):
- Directory traversal in email attachment filename allows file upload to
arbitrary directories
- Directory traversal in _msgatt.rec allows any arbitrary files on the server
to be sent as attachment
EXPLOITATION
WebMail must be running on Argosoft Mail Server.
WORKAROUND
Disable WebMail of Argosoft Mail Server.
VENDOR STATUS
Vendor contacted: 24 January 2005
Contact has been interrupted by vendor. Details has not been discussed during
contact.
SUMMARY
An attacker who successfully exploited vulnerabilities described in this report
could take complete control of a Argosoft Mail Server 1.8.7.x or an affected
remote system. I?m not advice to use this product, you must disable Webmail
service of Argosoft Mail Server.
CREDITS
ShineShadow, undependent computer security expert.
To get more information, please contact me by e-mail.
22.04.2005
ShineShadow,
ss_contacts@xxxxxxxxxxx