------------------------------------------------------------ - EXPL-A-2004-002 exploitlabs.com Advisory 028 - ------------------------------------------------------------ - Surgemail - OVERVIEW ======== "SurgeMail is a next generation Mail Server - Combining features, performance and ease of use into a single integrated product. Ideal on Windows NT/2K, or Unix (Linux, Solaris etc) and supports all all the standard protocols IMAP, POP3, SMTP, SSL, ESMTP." Surgmail suffers from two basic remote vulnerabilities... 1. Information Disclosure, by providing a non existant filename, the STDERR is rendered to the user, disclosing physical directory structure. 2. XSS ( cross site scripting ) via the login form, and in particular the "username" field. This allows for credential theft via externaly hosted malicous script. This affects both HTTP and HTTPS access vectors. AFFECTED PRODUCTS ================= Surge Mail ( Win32 and *nix through versions 1.9 ) WebMail v3.1d Copyright © NetWin Ltd http://netwinsite.com/index.html http://netwinsite.com/overviews.htm http://netwinsite.com/server/email_server_software.htm DETAILS ======= 1. Information Disclosure Surge mail's web based interface reveals physical directory structure by requesting a non-existant (404) request. http://x.x.x.x/[non-existant request] http://x.x.x.x:7080/scripts/ "Could not create process D:\surgemail/scripts/ Access Denied Is the url correct, check for a log file in the scripts directory and run the process in a shell window (D:\surgemail)" http://x.x.x.x:7080/scripts/err.txt "Could not create process D:\surgemail/scripts/err.txt File Not Found Is the url correct, check for a log file in the scripts directory and run the process in a shell window (D:\surgemail)" http://x.x.x.x/scripts/err.txt CGI did not respond correctly, it probably exited abnormally or the file may not exist or have +x access (/usr/local/surgemail/scripts) (err.txt) () 2. XSS ( cross site scripting ) The login form username field is vunerable to XSS ================ snip ======================== http://x.x.x.x:7080/ http://x.x.x.x:7080/ http://x.x.x.x:7080/ ================ snip ======================== SOLUTION ======== Vendor contacted May 16, 2003 support-surgemail@netwinsite.com Vendor acknowlegement recieved May 17, 2003 Vendor Patch / Version 2.0c released June 2, 2004 and may be obtained at ftp://ftp.netwinsite.com/pub/surgemail/beta http://www.netwinsite.com/surgemail/help/updates.htm PROOF OF CONCEPT ================ ( see DETAILS ) CREDITS ======= This vulnerability was discovered and researched by Donnie Werner of exploitlabs Donnie Werner mail: morning_wood@exploitlabs.com -- web: http://exploitlabs.com web: http://zone-h.org