602LAN SUITE 2004 (buid:2004.0.05.0413) Multiple vulnerabilities


29 April 2005


Synopsis:

Dr_insane has discovered some remote vulnerabilities in 602Lan Suite 2004.Lan suite is a secure mail server
with anti-virus & anti-spam, built-in firewall with NAT and web content filter proxy for controlled Internet
sharing. Access your e-mail anywhere using the Web Mail client. These vulnerabilities allow a remote
user to perform Denial of service attacks, execute arbitary HTML and script code in a user's browser
session in context of a vulnerable site as well as to enumerate arbitary files.



Description:

issue 1:

The first vulnerability is a cross site scripting attack that may allow a malicious user
to execute arbitary html and script code in a user's browser session in context of a vulnerable
site. Input passed to the "A" parameter in "mail" isn't properly sanitised before being returned to the user.

example:
http://[host]/mail?A=[code]&U=[cookie]



In addition, there is a second cross site scripting attack that can be performed by creating a new folder
as the folder name some javascript code.
Finally, there is another one cross site scripting that can be performed when composing a new e-mail message.
In the "subject" field and in the "main message" you can insert javascript code. When the receiver
open the e-mail using 602lan suite the code will get executed.


issue 2:

The second issue is an arbitary file enumeration but can be also used to create a very effective
denial of service attack. The problem again exists in the "A" parameter of "mail".
It is possible to enumerate files to arbitrary locations outside the specified
directory using the "../" directory traversal sequence

example:
http://127.0.0.1/mail?A=/../../../../../../../[some_folder]/[some_file]

Let's see what happens by executing the string above..
If the the given file does NOT exist on the server the user will get redirected to the start up screen but
if the file exists nothing will happen. On the remote server an error message will get generated.
This attack may seem as a simple file enumeration but could be used by a malicious user to create a very
effective dos attack. A script could be used that would send thousands requests for valid files.



Credit:
Dr_insane
dr_insane(at)pathfinder.gr