Type packetstorm
Reporter eEye Digital Security
Modified 1999-08-17T00:00:00


                                            `Date: Wed, 26 May 1999 06:58:27 -0000  
From: Marc <Marc@EEYE.COM>  
Subject: Multiple Web Interface Security Holes  
Multiple Web Interface Security Holes  
Systems Affected  
CMail 2.3  
FTGate 2,1,2,1  
NTMail 4.20  
Release Date  
May 26, 1999  
Advisory Code  
The following holes were found while testing Retina against a few various  
services that have web based interfaces. The holes are nothing amazing just  
common amongst many web based interfaces. We are sure some other software  
will be found with similar holes... if you come across some contact and let us know.  
---> CMail  
The default location of the web based interface for CMail is C:\Program  
Files\Computalynx\CMail Server\pages\. It is a simple hole. For example if  
we were to load http://[server]:8002/../spool/username/mail.txt in our web  
browser we would be looking at the email for that user. Note: Mail.txt is  
not the real mail file. There is one minor problem... reading of files is  
not totally straight forward. It seems CMail has some mechanism of what it  
will read or not. If you have a text file with no carriage returns in it  
CMail will not read it. There also exists multiple buffer overflows within  
the various SMTP and POP server functions of CMail. Yes they are  
exploitable. >:-]  
---> FTGate  
Same as above basically. http://[server]:8080/../newuser.txt The only  
difference is that FTGate doesn't seem to mind if the file has the carriage  
returns or not.  
---> NTMail  
NTMail suffers from the same programming flaw...  
There is other server software out there that suffers from these common  
holes. An average of 65% of the software we have tested thus far has had  
problems with restricting the path that they allow. NTMail as well as the  
other two can be run as a service, NTMail does it by default, therefore you  
can read files as SYSTEM on most of them.  
Disable the web interfaces where applicable until the vendors release  
Vendor Status  
All vendors have been notified.  
Copyright (c) 1999 eEye Digital Security Team  
Permission is hereby granted for the redistribution of this alert  
electronically. It is not to be edited in any way without express consent of  
eEye. If you wish to reprint the whole or any part of this alert in any  
other medium excluding electronic medium, please e-mail for  
The information within this paper may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There are  
NO warranties with regard to this information. In no event shall the author  
be liable for any damages whatsoever arising out of or in connection with  
the use or spread of this information. Any use of this information is at the  
user's own risk.  
Please send suggestions, updates, and comments to:  
eEye Digital Security Team  
([Retina, because a security scanner should do more then what it is told.])  
Date: Fri, 28 May 1999 16:11:18 +0100  
From: John Stanners <john.stanners@NTMAIL.CO.UK>  
Subject: Re: Web Interface Security Holes (NTMAIL) from BUGTRAQ  
>Multiple Web Interface Security Holes  
>Systems Affected  
>CMail 2.3  
>FTGate 2,1,2,1  
>NTMail 4.20  
This is fixed in NTMail 4.3 which was released on Monday 24th May 1999