Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

5HP0G1FAAC.txt

🗓️ 17 Jun 2003 00:00:00Reported by SecurITeam.comType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 34 Views

Multiple vulnerabilities in Mailtraq can lead to password decryption and directory traversal risks.

Code
` Title 9/6/2003  
Multiple Vulnerabilities Found in Mailtraq (DoS, Password Decryption,  
Directory Traversal)  
Summary  
Mailtraq is a "comprehensive e-mail SMTP/POP3 and proxy server, with a  
powerful mailing list server". The product suffered from multiple  
vulnerabilities that range from access to files that reside outside  
the bounding HTML root directory (through dying access to the server  
by causing the server to utilize a high CPU percentage) through  
decryption of locally stored password,to a cross site scripting  
vulnerability in the web mail interface.  
Details  
Vulnerable version:  
* Mailtraq version 2.1.0.1302  
Immune version:  
* Mailtraq version 2.3.2.1419  
HTTP Server directory traversal  
By accessing a URL as simple as:  
http://127.0.0.1/win2k/  
Or,  
http://127.0.0.1/Program%20Files/  
It is possible to access directories that would be otherwise  
inaccessible. Some of the directories contain sensiti information, but  
what is more interesting in this problem is the fact that the Mailtraq  
product keeps the password encrypted i rivial form, which can be  
easily decrypted using the following perl script:  
#!/usr/bin/perl  
$Password = $ARGV[0];  
print "Passwords should be something like: \\3D66656463626160\n";  
print "Provided password: $Password\n";  
$Password = substr($Password, 3);  
$Length = length($Password)/2;  
print "Length: $Length\n";  
for ($i = 0; $i < $Length; $i++)  
{  
print "Decoding: ", substr($Password, $i*2, 2), " = ";  
$ord = hex(substr($Password, $i*2, 2));  
print $ord^$Length, " (", chr($ord^$Length), ")\n";  
}   
Note that it is possible to "decrypt" any password that is stored  
under the C:\Program Files\Mailtraq\database\conuration directory or  
under the users directory, both of which are accessible via the  
directory traversal vulnerability.  
SMTP MAIL FROM, RCPT TO, HELO, FROM 100% CPU consumption (when viewing  
Event Log)  
By sending a repeated a string such as @@%s%p%n, or without the @@  
along with any of the SMTP commands, MAIL FROM,PT TO, HELO, email's  
FROM head field, will cause server's CPU usage to spike between 1  
second to 5 seconds. Sending a simple ovrlow doesn't have the same  
effect. The number of repeated %s%p%n required in order to cause the  
DoS, is 65535 and above ("%s%p%"x5535 - perl style).  
Cross Site Scripting in WebMail  
Sending a specially crafted email to a user can be used to steal his  
current session allowing an attacker to log oas the user. Sending such  
an email to the postmaster user will usually allow stealing of the  
administrator session. The vulneraiity occurs because the product does  
not correctly filter HTML/JavaScript code from the subject field when  
it is viewed in the is (the email viewing itself is not vulnerable).  
Example:  
Sending an email with the following subject should illustrate the  
issue:  
< script>alert(document.location)</script>  
Logon CGI vulnerable to 100% CPU consumption  
By sending an overly long username and password (any of them, or both)  
the CPU usage by the product will spike to %, the amount of time it  
spikes depends on the size of the buffer being sent (100,000  
characters cause about 3-4 seconds stall) description48=  
POST /$/menu HTTP/1.1  
Host:  
User-Agent: Mozilla/1.0(compatible;)  
Pragma: no-cache  
Content-Length: ...depending on size...  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
user=<More than 100,000 A>&password=<More than 100,000 A>  
Solution:  
We recommend that all users upgrade to the most recent build of  
Mailtraq to ensure that they are up to date with t latest  
developments.  
The latest build of Mailtraq Version 2.3.2.1419 includes the patches  
addressing these issues which are detailed abe.  
Mailtraq Version 2.3.2.1419 is immediately available for download as a  
public beta release pending complete QA tesng, and then will be  
upgraded to full release status.  
Vendor response:  
HTTP Server directory traversal  
Mailtraq is not vulnerable to this problem if it is installed with the  
default configuration on a standard "box". u can only access paths  
exposed by the web server.  
Password Encryption  
With respect to password encoding: weak password encryption was chosen  
as the objective is simply to obscure the iormation from the casual  
reader.  
It is worth noting that by default .cfg files are excluded in the new  
Web Server.  
SMTP MAIL FROM, RCPT TO, HELO, FROM 100% CPU consumption (when viewing  
Event Log)  
We have investigated this issue and added constraints to the SMTP  
server.  
Logon CGI vulnerable to 100% CPU consumption  
These "vulnerabilities" only appear to exist when using the Event Log  
Viewer diagnostic-tool, not when Mailtraq isunning in its normal  
configuration. However we have addressed the potential for high CPU  
consumption by capping the size form ecded POST data.  
Under normal running conditions the neither the Mailtraq Console or  
the event log viewer are open, so the "vulnerality" relies upon  
specific administrator activity.  
Cross Site Scripting in WebMail  
The example that you gave referred to the old and deprecated WebMail  
service. We recognise that this is a potentiay significant issue and  
are grateful for your bringing it to our attention. It has been  
addressed in build 1419 which was releae earlier today.  
Mailtraq has replaced the entire WebMail system with a new one since  
the tested build. The new WebMail system was t susceptible to the  
problem you described, but CSS could be invoked in another manner.  
This has now been addressed.  
It is important to note that the AUTHKEY cookie (allowing  
re-authentication after session expiry) is keyed to the ient IP  
address. As of today's build, the same applies to the SESSIONKEY.  
Thus, even if a new CSS vulnerability were to arise, ouseful  
information could be extracted from the browser.  
The browse.asp* vulnerability which allows the attacker to determine  
the path of the installed web site has been aressed by limiting this  
debug information to the LAN specification.  
We again thank you for bringing these items to our attention, and  
would be pleased to hear from you to discuss theatter further.  
Best wishes,  
David Rose  
Additional information  
The information has been provided by Noam Rathaus of SecurITeam.  
  
&"nbsp;"  
  
Copyright © 1998-2003 Beyond Security Ltd. All rights reserved.  
Terms of Use Site Privacy Statement.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
17 Jun 2003 00:00Current
7.4High risk
Vulners AI Score7.4
mailtraq vulnerabilitiesdirectory traversalpassword decryptiondenial of servicecross site scripting.
34