Type packetstorm
Reporter Paul Craig
Modified 2005-10-30T00:00:00


= Multiple vulnerabilities within RockLiffe MailSite Express WebMail  
= Also available online at   
= Vendor Website:   
= Affected Version:  
= All versions of RockLiffe MailSite Express WebMail prior v6.1.22  
= Public disclosure on October 28th, 2005  
== Overview ==  
During an audit of a client, discovered multiple   
critical vulnerabilities within the RockLiffe MailSite Express WebMail   
The vulnerabilities include the retrieval of arbitrary files from the  
web server, and bypassing attachment validation routines allowing for   
remote code execution.  
== Exploitation ==  
Exploit 1: Cross Site Scripting Vulnerabilities  
Recipients who save their login information locally are vulnerable to   
account theft when viewing HTML encoded messages with embedded JavaScript.  
When the option to save login information is selected the users password  
is stored as plaintext within the cookie.  
Crafting an email with scripting in the body will cause the execution of  
the scripting in the context of the site, allowing for the theft of the  
stored credentials.  
A basic test for this is to include the following in the body of a message;  
<script> alert(document.cookie) </script>  
Exploit 2: Multiple Script Attachment Validation Flaws  
The WebMail software attempts to verify the validity of an attachment within  
a received message. It automatically modifies the extension of any files  
ending in .asp, by changing them to .asp.txt. This is an attempt to avoid  
remote code execution through an attached file.  
However, these validity checks can be defeated and script files saved to  
the server.  
By default, only files ending in .asp are identified and rejected as script  
files. If a malicious user were to attach an .asa file instead, Web Mail  
would accept the script attachment, saving the file locally with the  
.asa extension.  
When the .asa file is requested the script contents are executed in the same  
manner as a .asp file. This flaw could also be affected by other extensions  
such as .htr and .aspx.  
A similar flaw exists when an attachment is sent with the filename  
In this instance the message subject is used as the file name, and .asa  
script files can be saved locally.  
Exploit 3: Retrieve Arbitrary System Files via Web Mail  
The location of file attachments for a mail message currently been composed,  
are stored as a physical file path included in the HTML as a hidden field.  
An example of this is shown below;  
<input type="hidden" name="AttachPath"   
This value points to the location where the attachments for the message are  
stored, by default all files within this directory are considered  
attachments for the message currently being composed.  
This value can be manipulated and a message can be sent with arbitrary  
For example, posting the variable AttachPath = H:\Express3Webmail6.1.20\  
would send the recipient a copy of the docroot.  
== Solutions == has been in contact with RockLiffe software and a   
new version of the software has been released to address the discovered  
vulnerabilities. urges RockLiffe users to upgrade to v6.1.22   
by downloading the new version at  
== Credit ==  
Discovered and advised to RockLiffe software July, 2005 by Paul Craig of  
== About == is a leader in intrusion testing and security  
code review, and leads the world with SA-ISO, online ISO17799 compliance  
management solution. is committed to security  
research and development, and its team have previously identified a  
number of vulnerabilities in public and private software vendors products.