If I read this correctly you have to be able to change the templates ????
Does this make any sense?
Scott Phelps
NT Administrator
WebKorner Internet Services
[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
www.webkorner.com <http://www.webkorner.com>
Charlotte: 370-0333
Salisbury: 637-7435
-----Original Message-----
From: Bugtraq List [mailto:[EMAIL PROTECTED]]On Behalf Of * *
Sent: Wednesday, August 30, 2000 3:50 AM
To: [EMAIL PROTECTED]
Subject: Vulnerability Report On IPSWITCH's IMail
Vulnerability Report On IPSWITCH's IMail
Date Published: August 30 2000
Advisory ID: TS003
Bugtraq ID: http://www.securityfocus.com/bid/1617
CVE CAN: None at this time
Title: IPSWITCH IMail File Attachment Vulnerability
Class: Access Validation Error
Remotely Exploitable: Yes
Locally Exploitable: Yes
Vulnerability Description:
IPSWITCH ships a product titled IMail, an email server for usage on NT
servers serving
clients their mail via a web interface. To this end the IMail server
provides a web server
typically running on port 8383 for it's end users to access. Via this
interface users may
read and send mail, as well as mail with file attachments. Certain
versions of IMail do not
perform proper access validation however resulting in users being able to
attach files resident
on the server. The net result of this is users may attach files on the
server to which they should
have no access. This access is limited to the user privileges which the
server is being run as, typically
SYSTEM.
It should be noted that once a user attachs the files in question the
server deletes them.
A more technical description of this problem follows towards the end of
this advisory.
Vulnerable Packages/Systems:
- IMail 5.0
- IMail 6.0
- IMail 6.1
- IMail 6.2
- IMail 6.3
- IMail 6.4
Suspected Vulnerable:
- IMail 5.0.5
- IMail 5.0.6
- IMail 5.0.7
- IMail 5.0.8
Solution/Vendor Information/Workaround:
Dowload fix for IMail 6.0 and up:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/Imail/imailwebpatch604c.exe
Vendor notified on:
The vendor was notified on July 17, 2000. At the time of this notification
the vendor asigned
the following tracking number to this vulnerability - T20000717001J.
Credits:
This vulnerability was discovered and reported by Timescape
<[EMAIL PROTECTED]>.
This advisory was drafted with the help of the SecurityFocus.com
Vulnerability
Help Team. For more information or assistance drafting advisories please
mail
[EMAIL PROTECTED]
Referance:
Further advisories on IPSWITCH Products:
http://www.securityfocus.com/bid/1094
http://www.securityfocus.com/bid/914
http://www.securityfocus.com/bid/880
http://www.securityfocus.com/bid/789
http://www.securityfocus.com/bid/547
http://www.securityfocus.com/bid/503
http://www.securityfocus.com/bid/506
http://www.securityfocus.com/bid/504
http://www.securityfocus.com/bid/502
http://www.securityfocus.com/bid/505
http://www.securityfocus.com/bid/218
http://www.securityfocus.com/bid/217
Technical Description - Exploit/Concept Code:
Here is a sample mail header sent by IMAIL web services which
has an attachment. Please note that this is line wrapped for readability.
Date: Tue, 11 Jul 2000 13:10:28 +0200
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0 Content-Type: multipart/mixed;
boundary="==IMail_v5.0=="
From: "Timescape" <[EMAIL PROTECTED]>
Reply-To: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: test
X-Mailer: <IMail v5.01>
X-Attachments: D:\IMAIL\spool\gonzo2.jpg ;
X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700
Return-Path: <[EMAIL PROTECTED]>
X-OriginalArrivalTime: 11 Jul 2000 11:20:48.0256 (UTC) FILETIME=
[10327800:01BFEB2A]
This is a multi-part message in MIME format.
--==IMail_v5.0==
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
--==IMail_v5.0==
Content-Type: application/octet-stream;
name="gonzo2.jpg "
Content-Transfer-Encoding: base64
--==IMail_v5.0==--
The thing which we will be exploiting is the
X-Attachments: D:\IMAIL\spool\gonzo2.jpg ;
I made it work by modifing the compose message HTML file and
saved it locally. Then i can just arrange the path to the
attachment so that it can read
X-Attachments: D:\IMAIL\spool\..\bar\users\admin\main.mbx ;
DISCLAIMER:
No responsibility whatsoever is taken for any correct/incorrect use of this
information. This is for informational purposes only.
Please visit http://www.ipswitch.com/support/mailing-lists.html
to be removed from this list.
An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/
