kebi-webmail_vul.txt

2001-12-09T00:00:00
ID PACKETSTORM:25514
Type packetstorm
Reporter secret
Modified 2001-12-09T00:00:00

Description

                                        
                                            `kebi-Webmail Solution vulnerability (Tested)  
by secret (e-mail: sale2001@orgio.net )  
  
  
Summary :   
Get webmail server's admin competence by remote attack in kebi-Webmail Solution.  
  
  
Platform:  
Attacker platform :   
All Operating Systems + Web browser  
  
  
Target platform:  
All kebi Webmail solution loading server  
(kebi enterprise version(KEV) )  
(kebi Academy verseion (KAV) )  
  
  
Description:  
When establish kebi webmail server's basis, there is hidden directory that connect to administrator menu.  
Here is place that it is not known on outside.  
There is no competence certification here to be   
http://target/a/ here justly!  
Because most systems that a wisdom a administrator a person who quote web here is but uses Kebimail server are exposed without certification, the mailserver user's personal information & E-Mail's contents inspection is available all and access is possible to user's homepage contents if use to homepage spaceassignment function.  
Almost all administrator functions by simple exploit to get available but, perfect administrator competence to the Webmail Server user account make and can get perfect administrator competence if put exploit to (free e-mail accountapplication possibility) web browser.  
  
  
exploits : http://mail.sample_target.com/a/  
  
If server who is using kebi webmail solution is mail.sample_target.com:  
Attack is http:// mail.sample_target.com/a/input in web browser url form  
  
  
Solution :   
Prevent that rob webmail server administrator competence to gouge by externalattacker using web certification (.htaccess,etc....) to   
http://webmail_server_URL/a/  
  
  
comment :   
Use kebi webmail solution in many place (research institute, school, the company, and so on).Read this document and secure, and it wished to become big help also.  
  
  
Vendor site :   
http://solution.nara.co.kr/  
http://www.nara.co.kr  
  
  
  
------------------------------------------------------  
The writer : secret (e-mail : sale2001@orgio.net )  
WOWHACKER Team : http://www.wowhacker.org  
------------------------------------------------------`