ZH2003-1SA (security advisory): Rockliffe Mailsite Express - mail attachments retrievable without proper authentication

From: tizio caio (G00db0y@zone-h.org)
Date: Tue Jul 08 2003 - 11:25:14 PDT

Next message: Conectiva Updates: "[CLA-2003:691] Conectiva Security Announcement - php4"

Previous message: yan feng: "zkfingerd-2.0.2(the last version)Format String Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) ZH2003-1SA (security advisory): Rockliffe Mailsite Express - mail attachments retrievable without proper authentication. Published: 08/07/2003 Released: 08/07/2003 Name: Rockliffe Mailsite Express - mail attachments retrievable without proper authentication Affected Systems: Mailsite 5.3.4 (and older versions?) Issue: Remote attackers can view all attachments Author: G00db0y@zone-h.org Description *********** Zone-h Security Team has discovered a serious security flaw in Rockliffe's MailSite Management Agent (version 5.3.4). This server allows remote users to access their POP3 accounts and read their mail over HTTP. The service usually listens on TCP port 80. The system allows an attacker to retrieve all attachments from it granting access to sensible information . Details ******* Many sites (you can find them using google) register all accesses to their websites. This information is collected in their stats page. It's very easy to find them (example www.site.com/stats/). From that point, an attacker could retrieve without authentication any attachments on every email that is online and not deleted from the mail server. From the stats page it's possible to see every access on every page on the webserver so also in the MailSite structure. When a user visualizes the mail attachements, the stat package is generating a link like this one: http://www.site.com/express/cache/DC44AEECB46AE0C029E85BBD43089833/4118200 66/attachment The default installation path of Mailsite Managements Agent is /express. Every attachment is stored in the sub directory called cache. Access path to this directory is granted through a randomly generated url so it's impossible to retrieve any attachments from it. Connecting instead from the link contained in the stat package page, it is possible to retrieve directly any attachment. Solution: ********* The vendor has been contacted and a patch is not yet produced Suggestions: ************ Protect your web statistics page with a login procedure. Upgrade your current version of Mail Site Express when the vendor will release the patch to fix this problem. G00db0y - www.zone-h.org admin Original advisory: http://www.zone-h.org/en/advisories/read/id=2643/

Next message: Conectiva Updates: "[CLA-2003:691] Conectiva Security Announcement - php4"
Previous message: yan feng: "zkfingerd-2.0.2(the last version)Format String Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 08 2003 - 13:45:45 PDT