From Marc@EEYE.COM Mon May 31 06:39:03 1999 From: Marc To: BUGTRAQ@netspace.org Date: Wed, 26 May 1999 06:58:27 -0000 Subject: Multiple Web Interface Security Holes [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] Multiple Web Interface Security Holes Systems Affected CMail 2.3 FTGate 2,1,2,1 NTMail 4.20 Release Date May 26, 1999 Advisory Code AD05261999 Description: The following holes were found while testing Retina against a few various services that have web based interfaces. The holes are nothing amazing just common amongst many web based interfaces. We are sure some other software will be found with similar holes... if you come across some contact info@eeye.com and let us know. ---> CMail The default location of the web based interface for CMail is C:\Program Files\Computalynx\CMail Server\pages\. It is a simple hole. For example if we were to load http://[server]:8002/../spool/username/mail.txt in our web browser we would be looking at the email for that user. Note: Mail.txt is not the real mail file. There is one minor problem... reading of files is not totally straight forward. It seems CMail has some mechanism of what it will read or not. If you have a text file with no carriage returns in it CMail will not read it. There also exists multiple buffer overflows within the various SMTP and POP server functions of CMail. Yes they are exploitable. >:-] ---> FTGate Same as above basically. http://[server]:8080/../newuser.txt The only difference is that FTGate doesn't seem to mind if the file has the carriage returns or not. ---> NTMail NTMail suffers from the same programming flaw... http://[server]:8000/../../../../../boot.ini. There is other server software out there that suffers from these common holes. An average of 65% of the software we have tested thus far has had problems with restricting the path that they allow. NTMail as well as the other two can be run as a service, NTMail does it by default, therefore you can read files as SYSTEM on most of them. Fixes Disable the web interfaces where applicable until the vendors release patches. Vendor Status All vendors have been notified. Copyright (c) 1999 eEye Digital Security Team Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Please send suggestions, updates, and comments to: eEye Digital Security Team info@eEye.com http://www.eEye.com ([Retina, because a security scanner should do more then what it is told.])