1st Class Internet Solutions 1st Class Mail Server Multiple Input Validation Vulnerabilities
BID:10089
Info
1st Class Internet Solutions 1st Class Mail Server Multiple Input Validation Vulnerabilities
| Bugtraq ID: | 10089 |
| Class: | Input Validation Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 08 2004 12:00AM |
| Updated: | Apr 08 2004 12:00AM |
| Credit: | Discovery is credited to Dr_insane <[email protected]>. |
| Vulnerable: |
1st Class Internet Solutions 1st Class Mail Server 4.0 1 |
| Not Vulnerable: | |
Discussion
1st Class Internet Solutions 1st Class Mail Server Multiple Input Validation Vulnerabilities
Multiple vulnerabilities have been identified in the application that may allow a remote attacker to carry out directory traversal and cross-site scripting attacks.
1st Class Mail Server version 4.01 is reported to be prone to these issues, however, it is possible that other versions are affected as well.
Multiple vulnerabilities have been identified in the application that may allow a remote attacker to carry out directory traversal and cross-site scripting attacks.
1st Class Mail Server version 4.01 is reported to be prone to these issues, however, it is possible that other versions are affected as well.
Exploit / POC
1st Class Internet Solutions 1st Class Mail Server Multiple Input Validation Vulnerabilities
No exploit is required.
The following proof of concept examples have been provided:
http://www.example.com/AUTH=[some_value]/user/viewmail.tagz?Site=www.example.com&Mailbox=3&MessageIndex=[html_code]>
http://www.example.com/AUTH=[some_value]/user/?Site=www.example.com&Mailbox=[html_code]
http://www.example.com/AUTH=[some_value]/user/members.tagz?Site=www.example.com&Mailbox=[html_code]
http://www.example.com/AUTH=[some_value]/user/general.tagz?Site=www.example.com&Mailbox=[html_code]
http://www.example.com/AUTH=[some_value]/user/advanced.tagz?Site=www.example.com&Mailbox=<[html_code]>
http://www.example.com/AUTH=[some_value]/user/list.tagz?Site=www.example.com&Mailbox=[html_code]
No exploit is required.
The following proof of concept examples have been provided:
http://www.example.com/AUTH=[some_value]/user/viewmail.tagz?Site=www.example.com&Mailbox=3&MessageIndex=[html_code]>
http://www.example.com/AUTH=[some_value]/user/?Site=www.example.com&Mailbox=[html_code]
http://www.example.com/AUTH=[some_value]/user/members.tagz?Site=www.example.com&Mailbox=[html_code]
http://www.example.com/AUTH=[some_value]/user/general.tagz?Site=www.example.com&Mailbox=[html_code]
http://www.example.com/AUTH=[some_value]/user/advanced.tagz?Site=www.example.com&Mailbox=<[html_code]>
http://www.example.com/AUTH=[some_value]/user/list.tagz?Site=www.example.com&Mailbox=[html_code]
Solution / Fix
1st Class Internet Solutions 1st Class Mail Server Multiple Input Validation Vulnerabilities
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
1st Class Internet Solutions 1st Class Mail Server Multiple Input Validation Vulnerabilities
References:
References:
- 1st Class mail server 4.01 Directory Traversal and XSS vulnerabilities (Dr_Insane)
- 1st Class Mail Server Homepage (1st Class Internet Solutions)