Hi, I'm Soroush Dalili from GrayHatz Security Group (GSG). I found multiple bugs in MailEnable Enterprise Edition ASP Version <= 2.0 that I listed them below: 1) - Any user can login to web administration site. 2) - Authenticated normal user can gain ADMIN or SYSADMIN level, also remote user can disable him/her account! 3) - Every one (ever no authenticated user) can write a message in "Draft" folder of any users! 4) - Every one can make "myupload.ams" on server in "drafts" folder of every user! 5) - Every one can make "_myupload.csv" on server in "drafts" folder of every user! 6) - For changing password it need the current password but current password is mention in source of "ListAttachments.asp" file, if XSS attack or Session hijacking happened then attacker can gain the user's current password. Details' Descriptions: 1) Any user can login to web administration site with bug in "main.asp" (Enterprise) Proof's exploit: -----------------------Start--------------------------
-----------------------End---------------------------- 2) Authenticated normal user can gain ADMIN or SYSADMIN level, also remote user can disable him/her account! Bug in "MailOptions.asp" file: remote authenticated user can change value of hidden field (name="LoginRights") from "USER" to "ADMIN" or "SYSADMIN" and change it's level to up! or change value of hidden field (name="LoginStatus") to "0" to disable him/her account! Proof's exploit: -----------------------Start-------------------------- -----------------------End---------------------------- 3) Every one (ever no authenticated user) can write a message in "Draft" folder of any users! Bug in "Resolve.asp" file: this file don't check authenticated user! Proof's exploit: --------------Start--------------------- --------------End--------------------- 4) Make "myupload.ams" on server in "drafts" folder of every user! Show Mail Enable folder's path if "username" or "postoffices" be incorrect! Proof's exploit: -----------------------Start-------------------------- -----------------------End---------------------------- 5) Make "_myupload.csv" on server in "drafts" folder of every user! Show Mail Enable folder's path if "username" or "postoffices" be incorrect! Proof's exploit: -----------------------Start-------------------------- -----------------------End---------------------------- 6) Have password in source. Proof: -----------------------Start-------------------------- http://[URL]/MEWebmail/base/enterprise/lang/EN/Forms/MAI/ListAttachments.asp?Mode=Compose&ID=test.MAI&MsgFormat=HTML&FormAction=Send&ComposeMode=General&Folder=%5CDrafts -----------------------End---------------------------- Product name: MailEnable Enterprise Edition Version: All ASP version <= 2.0 URL: www.mailenable.com Finder: Soroush Dalili Team: GSG [Grayhatz.net] Country: Iran Site: Grayhatz.net Email: IRSDL[a.t]Yahoo[d0t]Com << I hope secure world for all >> # milw0rm.com [2006-06-09]