Etype Eserv Multiple Input Validation Vulnerabilities

Bugtraq ID:	18179
Class:	Input Validation Error
CVE:	CVE-2006-2308 CVE-2006-2309
Remote:	Yes
Local:	No
Published:	May 31 2006 12:00AM
Updated:	May 31 2006 07:42PM
Credit:	Tan Chew Keong of Secunia Research is credited with the discovery of these vulnerabilities.
Vulnerable:	Etype Eserv 3.0 Etype Eserv 3.25
Not Vulnerable:	Etype Eserv 3.26

Etype Eserv Multiple Input Validation Vulnerabilities

Eserv is prone to multiple input-validation vulnerabilities. These issues include directory-traversal and code-disclosure vulnerabilities.

An attacker can exploit these issues to read other users' email messages, create and rename directories, delete arbitrary empty directories, and access the source code of arbitrary script files.

These issues affect version 3.25; other versions may also be vulnerable.

Etype Eserv Multiple Input Validation Vulnerabilities

These issues can be exploited through a web client.

Etype Eserv Multiple Input Validation Vulnerabilities

Solution:
The vendor has released version 3.26 to address this issue.


Etype Eserv 3.25

• Etype Eserv325-fix.zip
  http://www.eserv.ru/download/Eserv325-fix.zip


• Etype EservEproxy326a-setup.exe
  http://www.eserv.ru/download/EservEproxy326a-setup.exe

Etype Eserv 3.0

• Etype EservEproxy326a-setup.exe
  http://www.eserv.ru/download/EservEproxy326a-setup.exe

Etype Eserv Multiple Input Validation Vulnerabilities

References:

• EServ Homepage (EServ)
  
• Eserv/3 IMAP and HTTP Server Multiple Vulnerabilities (Secunia Research)
  
• Secunia Research: Eserv/3 IMAP and HTTP Server Multiple Vulnerabilities (Secunia Research)