<<< Date Index >>>     <<< Thread Index >>>

Multiple vulnerabilities in Argosoft Mail Server 1.8.7.6




ShineShadow Security Report  22042005-04

TITLE: Multiple vulnerabilities in Argosoft Mail Server Pro 1.8.7.6.

BACKGROUND

ArGoSoft Mail Server is fully functional SMTP/POP3/Finger (Pro version also has 
IMAP module) server for Windows 95/98/NT/2000, which will let you turn your 
computer into the email system. It's very compact, takes about 1-5 Mb of disk 
space (depending on the version), does not have any specific memory 
requirements, and what is the most important - it's very easy to use. 
Source: www.argosoft.com

VULNERABLE PRODUCTS

Argosoft Mail Server Pro 1.8.7.6 (maybe other)

DETAILS

1. Multiple cross-site scripting (XSS) vulnerabilities.

Description: 
Remote user can execute cross-site scripting (XSS) attack. It possible because 
some HTML tags in email messages are not filtered (for example, ?src? parameter 
in IMG tag). An attacker can send to the victim special crafted email message. 
If victim will view this message using web interface then attackers Java code 
will be executed in web browser of the victim. Also many XSS vulnerabilities 
exists in input boxes of webmail pages (for example, User settings,Address book 
and other).

2. Copying or moving files with arbitrary content and .eml extension to 
arbitrary locations on the server.

Vulnerable script: delete

Description: 
Remote user, who has account on Argosoft Mail Server, can copy or move own .eml 
files with arbitrary content (which, for example, could be uploading as 
attachment) to arbitrary locations on the server. This is directory traversal 
vulnerability. The new name of moving/copying .eml file will be 
random-generated by script. 

3. Deleting own account on the mail server.

Vulnerable script: folderdelete

Description:
Remote user, who has account on Argosoft Mail Server, can delete his home 
directory and account on the mail server. This is input validation error in 
?Folder? parameter.

4. Creating arbitrary user accounts on mail server.

Vulnerable script: addnew

Description:
Remote user can create user account on mail server even if option ?Allow 
Creation of Accounts From the Web Interface? has been disabled. It possible, 
because script does not require authentication. An attacker can send POST query 
to vulnerable script to create valid user account on remote mail server. After 
that it possible to use other vulnerabilities described in this report to get 
full control of Argosoft Mail Server or remote system.

5. Viewing arbitrary files on mail server.

Vulnerable script: msg

Description:
Remote user, who has account on Argosoft Mail Server, can view arbitrary files 
on mail server. This is directory traversal vulnerability in ?UIDL? parameter. 
An attacker can view messages of other users, configuration files or other text 
files on remote mail server.

6. Unfixed critical vulnerabilities.

Description:
Argosoft Mail Server 1.8.7.6 has unfixed known critical vulnerabilities. SIG^2 
(www.security.org.sg) discovered some directory traversal vulnerabilities in 
Argosoft Mail Server 1.8.7.3 
(http://www.security.org.sg/vuln/argosoftmail1873.html). The following 
vulnerabilities are NOT been fixed by vendor and exists in the last version of 
the product (Argosoft Mail Server 1.8.7.6):
- Directory traversal in email attachment filename allows file upload to 
arbitrary directories
- Directory traversal in _msgatt.rec allows any arbitrary files on the server 
to be sent as attachment


EXPLOITATION

WebMail must be running on Argosoft Mail Server.

WORKAROUND

Disable WebMail of Argosoft Mail Server.

VENDOR STATUS

Vendor contacted: 24 January 2005
Contact has been interrupted by vendor. Details has not been discussed during 
contact.


SUMMARY

An attacker who successfully exploited vulnerabilities described in this report 
could take complete control of a Argosoft Mail Server 1.8.7.x or an affected 
remote system. I?m not advice to use this product, you must disable Webmail 
service of Argosoft Mail Server. 
        
CREDITS

ShineShadow, undependent computer security expert. 
To get more information, please contact me by e-mail.

22.04.2005
ShineShadow,
ss_contacts@xxxxxxxxxxx