BugTraq
Back to list
|
Post reply
ZH2003-1SA (security advisory): Rockliffe Mailsite Express - mail attachments retrievable without proper authentication
Jul 08 2003 06:25PM
tizio caio (G00db0y zone-h org)
ZH2003-1SA (security advisory): Rockliffe Mailsite Express - mail
attachments retrievable without proper authentication.
Published: 08/07/2003
Released: 08/07/2003
Name: Rockliffe Mailsite Express - mail attachments retrievable without
proper authentication
Affected Systems: Mailsite 5.3.4 (and older versions?)
Issue: Remote attackers can view all attachments
Author: G00db0y (at) zone-h (dot) org [email concealed]
Description
***********
Zone-h Security Team has discovered a serious security flaw in
Rockliffe's MailSite Management Agent (version 5.3.4). This server allows
remote users to access their POP3 accounts and read their mail over HTTP.
The service usually listens on TCP port 80. The system allows an attacker
to retrieve all attachments from it granting access to sensible
information .
Details
*******
Many sites (you can find them using google) register all accesses to
their websites. This information is collected in their stats page. It's
very easy to find them (example www.site.com/stats/). From that point, an
attacker could retrieve without authentication any attachments on every
email that is online and not deleted from the mail server.
From the stats page it's possible to see every access on every page on
the webserver so also in the MailSite structure. When a user visualizes
the mail attachements, the stat package is generating a link like this
one:
http://www.site.com/express/cache/DC44AEECB46AE0C029E85BBD43089833/41182
00
66/attachment
The default installation path of Mailsite Managements Agent is /express.
Every attachment is stored in the sub directory called cache. Access path
to this directory is granted through a randomly generated url so it's
impossible to retrieve any attachments from it. Connecting instead from
the link contained in the stat package page, it is possible to retrieve
directly any attachment.
Solution:
*********
The vendor has been contacted and a patch is not yet produced
Suggestions:
************
Protect your web statistics page with a login procedure. Upgrade your
current version of Mail Site Express when the vendor will release the
patch to fix this problem.
G00db0y - www.zone-h.org admin
Original advisory: http://www.zone-h.org/en/advisories/read/id=2643/
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
ZH2003-1SA (security advisory): Rockliffe Mailsite Express - mail
attachments retrievable without proper authentication.
Published: 08/07/2003
Released: 08/07/2003
Name: Rockliffe Mailsite Express - mail attachments retrievable without
proper authentication
Affected Systems: Mailsite 5.3.4 (and older versions?)
Issue: Remote attackers can view all attachments
Author: G00db0y (at) zone-h (dot) org [email concealed]
Description
***********
Zone-h Security Team has discovered a serious security flaw in
Rockliffe's MailSite Management Agent (version 5.3.4). This server allows
remote users to access their POP3 accounts and read their mail over HTTP.
The service usually listens on TCP port 80. The system allows an attacker
to retrieve all attachments from it granting access to sensible
information .
Details
*******
Many sites (you can find them using google) register all accesses to
their websites. This information is collected in their stats page. It's
very easy to find them (example www.site.com/stats/). From that point, an
attacker could retrieve without authentication any attachments on every
email that is online and not deleted from the mail server.
From the stats page it's possible to see every access on every page on
the webserver so also in the MailSite structure. When a user visualizes
the mail attachements, the stat package is generating a link like this
one:
http://www.site.com/express/cache/DC44AEECB46AE0C029E85BBD43089833/41182
00
66/attachment
The default installation path of Mailsite Managements Agent is /express.
Every attachment is stored in the sub directory called cache. Access path
to this directory is granted through a randomly generated url so it's
impossible to retrieve any attachments from it. Connecting instead from
the link contained in the stat package page, it is possible to retrieve
directly any attachment.
Solution:
*********
The vendor has been contacted and a patch is not yet produced
Suggestions:
************
Protect your web statistics page with a login procedure. Upgrade your
current version of Mail Site Express when the vendor will release the
patch to fix this problem.
G00db0y - www.zone-h.org admin
Original advisory: http://www.zone-h.org/en/advisories/read/id=2643/
[ reply ]