Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: hack7587.htm

Argosoft Mail Server 1.8.7.6 multiple vulns



Multiple vulnerabilities in Argosoft Mail Server 1.8.7.6



ShineShadow Security Report  22042005-04

TITLE: Multiple vulnerabilities in Argosoft Mail Server Pro 1.8.7.6.

BACKGROUND

ArGoSoft Mail Server is fully functional SMTP/POP3/Finger (Pro version also has IMAP module) server for Windows 95/98/NT/2000, which will let you turn your computer into the email system. It's very compact, takes about 1-5 Mb of disk space (depending on the version), does not have any specific memory requirements, and what is the most important - it's very easy to use. 
Source: www.argosoft.com 

VULNERABLE PRODUCTS

Argosoft Mail Server Pro 1.8.7.6 (maybe other)

DETAILS

1. Multiple cross-site scripting (XSS) vulnerabilities.

Description: 
Remote user can execute cross-site scripting (XSS) attack. It possible because some HTML tags in email messages are not filtered (for example, “src” parameter in IMG tag). An attacker can send to the victim special crafted email message. If victim will view this message using web interface then attackers Java code will be executed in web browser of the victim. Also many XSS vulnerabilities exists in input boxes of webmail pages (for example, User settings,Address book and other).

2. Copying or moving files with arbitrary content and .eml extension to arbitrary locations on the server.

Vulnerable script: delete

Description: 
Remote user, who has account on Argosoft Mail Server, can copy or move own .eml files with arbitrary content (which, for example, could be uploading as attachment) to arbitrary locations on the server. This is directory traversal vulnerability. The new name of moving/copying .eml file will be random-generated by script. 

3. Deleting own account on the mail server.

Vulnerable script: folderdelete

Description:
Remote user, who has account on Argosoft Mail Server, can delete his home directory and account on the mail server. This is input validation error in “Folder” parameter.

4. Creating arbitrary user accounts on mail server.

Vulnerable script: addnew

Description:
Remote user can create user account on mail server even if option “Allow Creation of Accounts From the Web Interface” has been disabled. It possible, because script does not require authentication. An attacker can send POST query to vulnerable script to create valid user account on remote mail server. After that it possible to use other vulnerabilities described in this report to get full control of Argosoft Mail Server or remote system.

5. Viewing arbitrary files on mail server.

Vulnerable script: msg

Description:
Remote user, who has account on Argosoft Mail Server, can view arbitrary files on mail server. This is directory traversal vulnerability in “UIDL” parameter. An attacker can view messages of other users, configuration files or other text files on remote mail server.

6. Unfixed critical vulnerabilities.

Description:
Argosoft Mail Server 1.8.7.6 has unfixed known critical vulnerabilities. SIG^2 (www.security.org.sg) discovered some directory traversal vulnerabilities in Argosoft Mail Server 1.8.7.3 (http://www.security.org.sg/vuln/argosoftmail1873.html). The following vulnerabilities are NOT been fixed by vendor and exists in the last version of the product (Argosoft Mail Server 1.8.7.6):
- Directory traversal in email attachment filename allows file upload to arbitrary directories
- Directory traversal in _msgatt.rec allows any arbitrary files on the server to be sent as attachment


EXPLOITATION

WebMail must be running on Argosoft Mail Server.

WORKAROUND

Disable WebMail of Argosoft Mail Server.

VENDOR STATUS

Vendor contacted: 24 January 2005
Contact has been interrupted by vendor. Details has not been discussed during contact.


SUMMARY

An attacker who successfully exploited vulnerabilities described in this report could take complete control of a Argosoft Mail Server 1.8.7.x or an affected remote system. I’m not advice to use this product, you must disable Webmail service of Argosoft Mail Server. 
	
CREDITS

ShineShadow, undependent computer security expert. 
To get more information, please contact me by e-mail.

22.04.2005
ShineShadow,
ss_contacts@hotmail.com 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH