ZH2003-10SA (security advisory): Mail System Ver. 0.9 Beta.



Published: 16/07/2003



Released: 16/07/2003



Name: Mail System Ver. 0.9 Beta



Affected Systems: All versions (?)



Issue: Remote attackers can view all messages (and sql injection 

vulnerability)



Author: G00db0y@zone-h.org



Description



***********



Zone-h Security Team has discovered a serious security flaw in Mail System 

Ver. 0.9 Beta.

This is a simple internal mail system, originaly developed for an intranet 

project.



Details



*******



Mail System Ver. 0.9 Beta is a simple internal mail system in ASP. 



It's possible to retrieve all messages from it. 



Everyone can download the database at the following url:



http://www.example.com/PATH/message.mdb



Moreover there is a sql injection vulnerability in the login 

authentication form.



It's located at:



http://www.example.com/PATH/default.htm



>From there it's possible to login with these strings:



Login name: ' or 'a'='a



Password: ' or 'a'='a



Solution:



*********



The vendor has been contacted and a patch is not yet produced



Suggestions:



************



Protect the message file, rewrite the login procedure. 



G00db0y - www.zone-h.org admin



Original advisory here: http://www.zone-h.org/en/advisories/read/id=2709/