EMUMAIL5.x.txt

`1)EMUMAIL 5.x parameter validation vulnerability.   
---------------------------  
  
Summary  
--------  
Parameter validation bugs exist in 2 of the most popular Greek Free e-mail providers. The problem also there is on  
many other servers worldwide.The affected software is EMUMAIL 5.x used by Mail.gr and the software used by Mailbox.gr remains  
unidentified. This vulnerability allows the creation of arbitary folders that could potentialy lead to a DOS attack.  
  
System(s) Affected  
----------------  
EMUMAIL 5.x used by Mail.gr (possibly EMUMAIL systems < 5 are also vulnerable)  
Unknown Software used by Mailbox.gr  
  
  
Exploit  
------  
  
The proof of concept code is provided below for EMUMAIL 5.x used by Mail.gr.  
Emumail handles the folder arguments without any validation.  
Upon execution of the below statement a folder will be created under the name  
provided in the "folder=" parameter  
  
  
http://www.mail.gr/email.fcgi?passed=select&reload.x=19&folder=SOMENAME  
  
The same vulnerabillity exists in Mailbox.gr.  
  
http://www.mailbox.gr/cgi-mailbox/webemail/read.cgi/greek?acc=accountnamehere&folder=SOMENAME  
  
As you noticed both vulnerabilities exist in the passing of folder parameters  
and the mishandle of the supplied arguments. We strongly believe that Mailbox.gr  
is somehow "based" on EMUMAIL thus still vulnerable.  
  
  
Also if you try to run the string below by using Internet explorer 6 sp1 the browser will crash:  
( i have tested it on many systems)  
  
http://www.mailbox.gr/cgi-mailbox/webemail/read.cgi/greek?acc=accountnamehere&folder=(about_2000+_characters)  
  
(i don't know if the same thing happen to you)  
  
Finaly if you run the string above on another browser (not IE) you will get this message from the server:  
  
"Request-URI Too Large  
The requested URL's length exceeds the capacity limit for this server.request failed: URI too long"  
  
Maybe this can lead to a buffer overflow and execution of arbitary code.  
  
  
-------------------------------------------------------------------------------------  
2) MAILBOX Vulnerability ( software developed by SM-SOFT Information and EUROPLANET )  
  
Summary  
--------  
Two other Parameter validation bugs exist in one of the most popular Greek Free e-mail provider.  
The (unknown) affected software is used by mailbox.gr.This vulnerability allows the mass mailing  
the promotion mail of mailbox.gr.The other bug allows unathorized view of the logon history from any account.  
  
  
System(s) Affected  
----------------  
Unknown Software used by Mailbox.gr developed by SM-SOFT Information and EUROPLANET  
Communication Informatics.  
  
  
Exploit  
------  
  
The proof of concept code is provided below for Mailbox.gr.  
The software handles the account arguments without any validation if it exists or not.  
Upon execution of the below statements mailbox.gr's mail will be mailed to the mail provided after  
the useremailas many time as you hit your return key.That could potentialy lead to fill up the usermail's  
inbox,as the promotion mail is about 14kb.  
  
  
http://www.mailbox.gr/cgi-mailbox/webemail/suggest.cgi?userid=whateverhere&[email protected]  
  
The mail will appear to be mailed from [email protected] which is an invalid account name.  
  
  
Now the other vulnerability allows the view of the logon history of any account.  
  
http://www.mailbox.gr/cgi-mailbox/webemail/logoview.cgi?userid=accounthere  
  
The execution of above statement will print on your screen the logon history under  
the accounthere account name.  
  
  
  
  
PATCH  
-----  
Vendor has been notified but no patch is still available.   
  
  
-----------------  
Vulnerability and exploit by: Dr_insane ------> [email protected]  
`