GWextranet Multiple Vulnerabilites

[Joseph.giron13@xxxxxxxxx]

GWextranet Multiple Vulnerabilites

Vendor: Messaging Architects

http://www.gwtools.com/en/gwextranet/eval/

http://www.example/gwextranet/scp.dll/sendto?user=calendar+of+events&mid=474020FA.GWEMAIL_DEPOT.SDEPO.100.167656B.1.1B00.1&template=.././../../boot.ini%00

http://www.example.com/gwextranet/scp.dll/nbfile?user=calendar%20of%20events&format=&mid=46FA2724.GWEMAIL_DEPOT.SDEPO.100.167656B.1.198E.1&folder=Calendar&altcolor=cccccc&template=gwextra&caldays=1&startday=&file=../scp.dll

Just about any action module that request a template or file you can include a 
file from elsewhere on the server. I was able to refer to the manual on 
GwExtranet to obtain all the files that utilize the file and template 
paramenters. They are List, Monthcal, Item, frmonth, week, frameset, fhead, 
frlist, getvcs, Xlist, nblist, 
nbitem, nbfile, directory, xlist, sendto, Xweek, Xmonth, And finally Xitem. 

The compose module allows you to add new events to a specific group, but allows 
for Script code to be injected inside. The result of say...a well placed body 
onload event effectively defaces the front page until the month is over. (when 
the event calendar rolls over to a new month). 

Vendor Notified (they refused to give me a direct line), no patch yet.

Happy Hacking!