SecuriTeam - CMailServer WebMail Multiple Vulnerabilities

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CMailServer is "a small and easy-to-use Mail Server software and Web Mail software. It enables you to send and receive emails across the Internet or within the LAN and has support for client email applications such as Outlook, Eudora etc. CMailServer supports Hotmail-like Web Mail service based on ASP scripts".

Multiple vulnerabilities were found in CMailServer's Web Mail service including buffer overflow, SQL Injection and Cross-Site Scripting (XSS).

Credit:
The information has been provided by chewkeong.

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* CMailServer version 5.2 and prior

Immune Systems:
* CMailServer version 5.2.1

Multiple vulnerabilities were found in CMailServer's Web Mail service including buffer overflow, SQL Injection and Cross-Site Scripting (XSS).

1. Buffer overflow in CMailCOM.dll's attachment download method may allow arbitrary code execution.
2. SQL Injection in fdelmail.asp allows deleting of other users' mail metadata.
3. SQL Injection in addressc.asp allows deleting of other users' email address contacts.
4. XSS vulnerability in admin.asp when displaying users' personal info.

Solution:
Upgrade to the latest version of CMailServer version 5.2.1 or newer.

Disclosure timeline:
12 Nov 04 - Vulnerability Discovered.
13 Nov 04 - Initial Vendor Notification by Email and Web Form.
16 Nov 04 - Initial Vendor Reply.
21 Nov 04 - Vendor provided patched version for testing.
21 Nov 04 - Notified Vendor that a patch did not work.
21 Nov 04 - Vendor provided updated version for testing.
24 Nov 04 - Public Release

	SAP MaxDB Malformed Handshake Request Remote Code Execution Vulnerability
	Dojo Toolkit SDK Multiple DOM-Based XSS Vulnerabilities
	Microsoft Indeo Codec Memory Corruption Vulnerability
	HP DDMI Execution of Arbitrary Code
	Microsoft Windows License Logging Service Heap Corruption Vulnerability
	Microsoft Office Excel Code Execution Vulnerabilities
	Microsoft SharePoint 2007 ASP.NET Source Code Disclosure
	Microsoft Windows Local Security Authority Integer Overflow Vulnerability
	Windows Kernel Multiple Vulnerabilities
	Microsoft Windows ActiveX Indexing Service Memory Corruption Vulnerability
	Microsoft IIS FTP Service Code Execution and DoS Vulnerability
	Microsoft GDI+ Multiple Vulnerabilities
	Microsoft .NET Common Language Runtime Multiple Vulnereabilities
	Microsoft Active Template Library ActiveX Controls Multiple Vulnerabilities
	ActiveX Active Template Library Initialization Vulnerability