Information leak Vulnerability Found in MailMax/Web 4.1 http://www.smartmax.com Discovered by Dennis Rand ------------------------------------------------------------------------ -----[SUMMARY Our IMAP based MailMax/WEB 4.1 has a crisp new look and now Allows you to send and retrieve your mail three times faster When utilized with MailMax 5.0. Tightly integrated with the MailMax 5 email server, this add-on product provides a seamless Solution to your web-based email needs. The problem is an information leak in the MailMax/WEB interface, That allows everyone to get the knowledge to where MailMAX/WEB Is installed. -----[AFFECTED SYSTEMS Vulnerable systems: * MailMAX/WEB v.4.1 Immune systems: * -----[SEVERITY Low - An attacker is able to view the location to where The MailMAX/WEB is installed on the server -----[DESCRIPTION OF WHAT THE VULNERABILITY IS If an attacker puts a sniffer on the network it is possible to view The location of the installed software, giving an attacker more Knowledge into the structure of the server. The following transcript demonstrates a sample exploitation of the Vulnerabilities: ----------------------------- [Transcript] ----------------------------- GET /mailmaxweb/mmweb_images/intro_splash.jpg HTTP/1.1 Accept: */* Referer: http:///mailmaxweb/mmweb.dll?default Accept-Language: da Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.0b2; Windows NT 5.0) Host: win2k-serv Connection: Keep-Alive Cookie: BOXLOADED=NO; MYDIR=c:\inetpub\wwwroot\mailmaxweb; ----------------------------- [Transcript] ----------------------------- -----[DETECTION MailMax/WEB 4.1 is vulnerable to the above-described attacks. Earlier versions may be susceptible as well. To determine if a specific Implementation is vulnerable, experiment by following the above transcript. -----[WORK AROUNDS * With this vulnerable version of MailMax/WEB, the only workaround is to disable the MailMAX/WEB interface , there are no workaround in the configuration. A possible workaround could be to make the trafic go through https so it is encrypted. -----[VENDOR RESPONSE * It will require architectual changes and be almost impossible to address in the current code base. No immediate timetable right now. -----[DISCLOSURE TIMELINE 29/03/2003 Found the Vulnerability, and made an analysis. 29/03/2003 Reported to Vendor (sales@smartmax.com, features@smartmax.com, support@smartmax.com). 27/03/2003 Vendor reply, they now know of the vulnerabilities. 27/03/2003 Fix made public. 11/04/2003 Public Disclosure. -----[ADDITIONAL INFORMATION The vulnerability was discovered and reported by Dennis Rand -----[DISCLAIMER The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.