ID OSVDB:38182 Type osvdb Reporter OSVDB Modified 2007-07-17T17:22:08
Description
Vulnerability Description
MailMarshal contains a flaw that may allow an attacker to modify arbitrary accounts via the Spam Quarantine interface. The issue is due to the password reset feature in the HTTP interface not properly sanitizing user supplied input. By sending a crafted string in the UserID variable with a large amount of trailing whitespace characters, an attacker can trigger an SQL buffer truncation and modify arbitrary accounts.
Solution Description
Upgrade to version 6.2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
References:
Secunia Advisory ID:26018
Other Advisory URL: http://www.sec-1labs.co.uk/advisories/BTA_Full.pdf
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-07/0323.html
CVE-2007-3796
Bugtraq ID: 24936
{"bulletinFamily": "software", "viewCount": 0, "reporter": "OSVDB", "references": [], "description": "## Vulnerability Description\nMailMarshal contains a flaw that may allow an attacker to modify arbitrary accounts via the Spam Quarantine interface. The issue is due to the password reset feature in the HTTP interface not properly sanitizing user supplied input. By sending a crafted string in the UserID variable with a large amount of trailing whitespace characters, an attacker can trigger an SQL buffer truncation and modify arbitrary accounts.\n\n## Solution Description\nUpgrade to version 6.2.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## References:\n[Secunia Advisory ID:26018](https://secuniaresearch.flexerasoftware.com/advisories/26018/)\nOther Advisory URL: http://www.sec-1labs.co.uk/advisories/BTA_Full.pdf\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2007-07/0323.html\n[CVE-2007-3796](https://vulners.com/cve/CVE-2007-3796)\nBugtraq ID: 24936\n", "affectedSoftware": [], "href": "https://vulners.com/osvdb/OSVDB:38182", "modified": "2007-07-17T17:22:08", "enchantments": {"score": {"value": 6.8, "vector": "NONE", "modified": "2017-04-28T13:20:34", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-3796"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:17550", "SECURITYVULNS:VULN:7944"]}, {"type": "nessus", "idList": ["MAILMARSHAL_SPAM_QUARANTINE_INFO_DISCLOSURE.NASL"]}, {"type": "kaspersky", "idList": ["KLA10247"]}], "modified": "2017-04-28T13:20:34", "rev": 2}, "vulnersScore": 6.8}, "id": "OSVDB:38182", "title": "MailMarshal Spam Quarantine Interface UserID Variable SQL Truncation Arbitrary Account Modification", "edition": 1, "published": "2007-07-17T17:22:08", "type": "osvdb", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvelist": ["CVE-2007-3796"], "lastseen": "2017-04-28T13:20:34"}
{"cve": [{"lastseen": "2021-02-02T05:31:25", "description": "The password reset feature in the Spam Quarantine HTTP interface for MailMarshal SMTP 6.2.0.x before 6.2.1 allows remote attackers to modify arbitrary account information via a UserId variable with a large amount of trailing whitespace followed by a malicious value, which triggers SQL buffer truncation due to length inconsistencies between variables.\n\"Successful exploitation requires that the attacker knows the email address of the target user.\"\nThe vendor has released version 6.2.1 to address this issue.", "edition": 6, "cvss3": {}, "published": "2007-07-17T23:30:00", "title": "CVE-2007-3796", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-3796"], "modified": "2008-09-05T21:26:00", "cpe": ["cpe:/a:mailmarshal:mailmarshal_smtp:6.2.0"], "id": "CVE-2007-3796", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3796", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:mailmarshal:mailmarshal_smtp:6.2.0:*:*:*:*:*:*:*"]}], "kaspersky": [{"lastseen": "2020-09-02T11:53:44", "bulletinFamily": "info", "cvelist": ["CVE-2007-3796"], "description": "### *Detect date*:\n07/17/2007\n\n### *Severity*:\nCritical\n\n### *Description*:\nAn unspecified vulnerability was found in MailMarshal SMTP. By exploiting this vulnerability malicious users can modify arbitrary account information. This vulnerability can be exploited remotely via a specially designed UserId variable.\n\n### *Affected products*:\nMailMarshal SMTP version 6.2\n\n### *Solution*:\nUpdate to latest version\n\n### *Impacts*:\nSB \n\n### *Related products*:\n[M86 MailMarshal SMTP](<https://threats.kaspersky.com/en/product/M86-MailMarshal-SMTP/>)\n\n### *CVE-IDS*:\n[CVE-2007-3796](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3796>)7.6Critical", "edition": 42, "modified": "2020-05-22T00:00:00", "published": "2007-07-17T00:00:00", "id": "KLA10247", "href": "https://threats.kaspersky.com/en/vulnerability/KLA10247", "title": "\r KLA10247Vulnerability in MailMArshal SMTP ", "type": "kaspersky", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:22", "bulletinFamily": "software", "cvelist": ["CVE-2007-3796"], "description": " SEC-1 LTD.\r\n\r\n www.sec-1.com\r\n\r\n Security Advisory\r\n\r\nAdvisory Name: MailMarshal Spam Quarantine Password Retrieval \r\n Vulnerability\r\n\r\n Release Date: 17-06-2007\r\n Application: MailMarshal SMTP 6.2.0.x\r\n \r\n Platform: Microsoft Windows \r\n Severity: Password Retrieval\r\n Author: Gary O'leary-Steele \r\n Reported: See time line section below\r\nVendor status: Fix Available\r\nCVE Candidate: CVE-2007-3796\r\n Reference: http://www.sec-1.com/\r\n\r\n\r\nOverview from www.mailmarshal.com: \r\n\r\nMailMarshal SMTP is a total email content security solution for business\r\nnetworks. It combines anti-spam, anti-virus, anti-phishing, anti-porn\r\nand\r\ncontent security into a highly scalable and easily manageable solution.\r\nMailMarshal enables you to meet your corporate obligation to provide a\r\nsafe and secure environment for your employees. It also enables you to\r\nmeet\r\nyour obligation to effectively monitor and manage your organization's\r\ncompliance with relevant corporate governance and legislative regulatory\r\nframeworks.\r\n\r\n\r\nVulnerability Summary:\r\n\r\nThe Spam Quarantine HTTP interface password reset facility is vulnerable\r\n\r\nto a SQL buffer truncation attack. The vulnerability could be exploited \r\nto reset and retrieve any user account. The attacker would require prior\r\n\r\nknowledge of the users email address.\r\n\r\n\r\nVulnerability Details:\r\n\r\nA technical analysis of the vulnerability is included within our\r\n"Buffer Truncation in Microsoft SQL Server Based Applications 1.1" paper\r\n\r\n\r\nhttp://www.sec-1labs.co.uk/advisories/BTA_Full.pdf\r\n\r\n\r\nTime Line:\r\n\r\n24/05/2007 Reported\r\n12/07/2007 Fix Available\r\n\r\n\r\nVendor Status: \r\n\r\nThis issue has been resolved in version 6.2.1. See the change history\r\nfor further\r\ndetails.\r\n\r\nhttp://www.marshal.com/software/mailmarshal_smtp/MailMarshalSMTP-Release\r\nNotes-6.2.1.3252.htm#Change%20History\r\n\r\n\r\nCommon Vulnerabilities and Exposures (CVE) Information:\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned \r\nthe following names to these issues. These are candidates for \r\ninclusion in the CVE list (http://cve.mitre.org), which standardizes \r\nnames for security problems.\r\n\r\n\r\nCVE-2007-3796\r\n\r\nCopyright 2007 Sec-1 LTD. All rights reserved.\r\n\r\nSec-1 specialises in the provision of network security solutions. \r\nFor more information on products and services we offer visit \r\nwww.sec-1.com \r\nor call\r\n0113 257 8955.\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "modified": "2007-07-19T00:00:00", "published": "2007-07-19T00:00:00", "id": "SECURITYVULNS:DOC:17550", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:17550", "title": "[Full-disclosure] [Sec-1 Ltd] Advisory: MailMarshal Spam Quarantine Password Retrieval Vulnerability", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:26", "bulletinFamily": "software", "cvelist": ["CVE-2007-2231", "CVE-2007-3796"], "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 1, "modified": "2007-07-19T00:00:00", "published": "2007-07-19T00:00:00", "id": "SECURITYVULNS:VULN:7944", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7944", "title": "Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-01-20T12:02:11", "description": "The remote host is running the Spam Quarantine Management web\ncomponent of MailMarshal SMTP, a mail server for Windows. \n\nThe version of the Spam Quarantine Management web component installed\non the remote host fails to sanitize input to the 'emailTextBox'\nparameter of the 'Register.aspx' script before using it in database\nqueries. By appending a long string of blanks and his own email\naddress, an unauthenticated attacker may be able to leverage this\nissue to reset and retrieve the password to any user account provided\nhe knows the email address associated with it.", "edition": 26, "published": "2007-07-18T00:00:00", "title": "MailMarshal Spam Quarantine Interface Arbitrary Account Password Retrieval", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-3796"], "modified": "2007-07-18T00:00:00", "cpe": [], "id": "MAILMARSHAL_SPAM_QUARANTINE_INFO_DISCLOSURE.NASL", "href": "https://www.tenable.com/plugins/nessus/25711", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(25711);\n script_version(\"1.18\");\n\n script_cve_id(\"CVE-2007-3796\");\n script_bugtraq_id(24936);\n\n script_name(english:\"MailMarshal Spam Quarantine Interface Arbitrary Account Password Retrieval\");\n script_summary(english:\"Checks version in SMTP banner\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains an ASP.NET script that is susceptible\nto an information disclosure vulnerability.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running the Spam Quarantine Management web\ncomponent of MailMarshal SMTP, a mail server for Windows. \n\nThe version of the Spam Quarantine Management web component installed\non the remote host fails to sanitize input to the 'emailTextBox'\nparameter of the 'Register.aspx' script before using it in database\nqueries. By appending a long string of blanks and his own email\naddress, an unauthenticated attacker may be able to leverage this\nissue to reset and retrieve the password to any user account provided\nhe knows the email address associated with it.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2007/Jul/323\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MailMarshal SMTP 6.2.1 or later.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/07/18\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/07/18\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"remote\");\nscript_end_attributes();\n\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smtpserver_detect.nasl\", \"doublecheck_std_services.nasl\", \"http_version.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/smtp\", 25, \"Services/www\", 80);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"smtp_func.inc\");\n\n\n# Grab the version from the SMTP banner.\nport = get_kb_item(\"Services/smtp\");\nif (!port) port = 25;\nif (!get_port_state(port)) exit(0, \"Port \"+port+\" is closed\");\n\nver = NULL;\nbanner = get_smtp_banner(port:port);\nif (! banner)\n exit(1, \"No SMTP banner on port \"+port+\".\");\nif (\" ESMTP MailMarshal \" >!< banner)\n exit(0, \"MailMarshal is not running on port \"+port+\".\");\n\n pat = \" ESMTP MailMarshal \\(v([0-9][0-9.]+)\\)\";\n matches = egrep(pattern:pat, string:banner);\n if (matches)\n {\n foreach match (split(matches))\n {\n match = chomp(match);\n item = eregmatch(pattern:pat, string:match);\n if (!isnull(item))\n {\n ver = item[1];\n break;\n }\n }\n }\n\n\n\n# If it's a vulnerable version...\nif (! ver)\n exit(1, \"MailMarshall version could not be identified on port \"+port+\".\");\nif (ver !~ \"^([0-5]\\.|6\\.([01]\\.|2\\.0[^0-9]?))\")\n exit(0, \"MailMarshall is not vulnerable on port \"+port+\".\");\n\n report = NULL;\n\n # If we're being paranoid, just flag it as vulnerable.\n if (report_paranoia > 1)\n report = string(\n \"\\n\",\n \"According to its SMTP banner, version \", ver, \" of MailMarshal is\\n\",\n \"installed on the remote host, but Nessus did not check whether the\\n\",\n \"optional Spam Quarantine component is available because of the Report\\n\",\n \"Paranoia setting in effect when this scan was run.\\n\"\n );\n # Otherwise, make sure the affected component is installed.\n else \n {\n port = get_http_port(default:80, embedded: 0, asp: 1);\n\n # Loop through directories.\n if (thorough_tests) dirs = list_uniq(make_list(\"/SpamConsole\", cgi_dirs()));\n else dirs = make_list(cgi_dirs());\n\n foreach dir (dirs)\n {\n url = string(dir, \"/Register.aspx\");\n w = http_send_recv3(method:\"GET\", item:url, port:port, exit_on_fail: 1);\n res = w[2];\n\n # If it is...\n if (\n \"MailMarshal\" >< res && \n \"Spam Quarantine Management\" >< res &&\n '<form name=\"Form1\" method=\"post\" action=\"Register.aspx\"' >< res\n )\n {\n report = string(\n \"\\n\",\n \"According to its SMTP banner, version \", ver, \" of MailMarshal is\\n\",\n \"installed on the remote host and the affected component is accessible\\n\",\n \"under the directory '\", dir, \"'.\"\n );\n break;\n }\n }\n }\n\nif (report)\n security_hole(port:port, extra:report);\nelse\n exit(0, \"No vulnerable MailMarshal instance was found on port \"+port+\".\");\n\n", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}]}
