TUCoPS :: Web :: Apps :: bt566.txt

Rockliffe Mailsite Express - mail attachments retrievable without proper authentication CGI:




ZH2003-1SA (security advisory): Rockliffe Mailsite Express - mail 

attachments retrievable without proper authentication.

Published: 08/07/2003



Released: 08/07/2003



Name: Rockliffe Mailsite Express - mail attachments retrievable without 

proper authentication



Affected Systems: Mailsite 5.3.4 (and older versions?)



Issue: Remote attackers can view all attachments



Author: G00db0y@zone-h.org





Description



***********



Zone-h Security Team has discovered a serious security flaw in 

Rockliffe's MailSite Management Agent (version 5.3.4). This server allows 

remote users to access their POP3 accounts and read their mail over HTTP. 

The service usually listens on TCP port 80. The system allows an attacker 

to retrieve all attachments from it granting access to sensible 

information .



Details



*******



Many sites (you can find them using google) register all accesses to 

their websites. This information is collected in their stats page. It's 

very easy to find them (example www.site.com/stats/). From that point, an 

attacker could retrieve without authentication any attachments on every 

email that is online and not deleted from the mail server.



>From the stats page it's possible to see every access on every page on 

the webserver so also in the MailSite structure. When a user visualizes 

the mail attachements, the stat package is generating a link like this 

one: 

http://www.site.com/express/cache/DC44AEECB46AE0C029E85BBD43089833/4118200

66/attachment



The default installation path of Mailsite Managements Agent is /express. 

Every attachment is stored in the sub directory called cache. Access path 

to this directory is granted through a randomly generated url so it's 

impossible to retrieve any attachments from it. Connecting instead from 

the link contained in the stat package page, it is possible to retrieve 

directly any attachment.



Solution:



*********



The vendor has been contacted and a patch is not yet produced



Suggestions:



************



Protect your web statistics page with a login procedure. Upgrade your 

current version of Mail Site Express when the vendor will release the 

patch to fix this problem.



G00db0y - www.zone-h.org admin



Original advisory: http://www.zone-h.org/en/advisories/read/id=2643/

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH